CVE-2026-14683 in HdrHistograminfo

Summary

by MITRE • 07/05/2026

A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/05/2026

The vulnerability in HdrHistogram version 2.2.2 represents a critical memory allocation flaw that could lead to resource exhaustion and system instability. This weakness resides within the decodeFromCompressedByteBuffer function located in the AbstractHistogram.java file, where improper handling of the lengthOfCompressedContents argument creates an avenue for uncontrolled memory consumption. The vulnerability's impact is particularly concerning as it enables attackers to manipulate memory allocation patterns through crafted input data, potentially leading to denial of service conditions or system crashes.

The technical flaw manifests when the function processes compressed buffer contents without adequate validation of the length parameter, allowing malicious actors to specify arbitrarily large memory allocation requests. This type of vulnerability falls under the category of resource exhaustion attacks and can be classified as CWE-770 according to the Common Weakness Enumeration standard. The issue is particularly dangerous because it operates at the memory management level where unbounded allocation can quickly consume available system resources, leading to cascading failures in applications that depend on HdrHistogram for performance monitoring and statistical analysis.

The operational impact of this vulnerability extends beyond simple resource exhaustion, as it represents a potential attack vector for local privilege escalation scenarios. Since the exploit requires only local access, attackers with system-level privileges can leverage this flaw to consume excessive memory resources, potentially causing application crashes or system instability. The fact that public exploits exist demonstrates the maturity of the attack methodology and increases the likelihood of real-world exploitation. Organizations using HdrHistogram in production environments face significant risk as this vulnerability can be exploited to disrupt services through memory exhaustion attacks.

Security practitioners should prioritize immediate mitigation strategies including upgrading to patched versions of HdrHistogram, implementing input validation controls, and monitoring for anomalous memory allocation patterns. The vulnerability's classification under ATT&CK technique T1499.001 for resource exhaustion attacks highlights the need for robust process monitoring and memory allocation limits. Additionally, organizations should consider implementing network segmentation and access controls to limit local attack surfaces while maintaining proper application-level input sanitization to prevent exploitation through malformed compressed data inputs.

Responsible

VulDB

Disclosure

07/05/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00118

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!