CVE-2026-14684 in HdrHistograminfo

Summary

by MITRE • 07/05/2026

A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/05/2026

The vulnerability in HdrHistogram version 2.2.2 represents a critical memory allocation flaw that resides within the AbstractHistogram.decodeFromByteBuffer method implementation. This issue manifests through improper handling of the numberOfSignificantValueDigits parameter, which when manipulated can lead to uncontrolled memory consumption patterns. The flaw specifically targets the decoding process where the library attempts to reconstruct histogram data from byte buffers, creating a potential avenue for memory exhaustion attacks.

The technical exploitation of this vulnerability occurs through local manipulation of the numberOfSignificantValueDigits argument during the decodeFromByteBuffer function execution. When an attacker supplies crafted values to this parameter, the underlying implementation fails to properly validate or constrain memory allocation requests, potentially allowing malicious inputs to trigger excessive heap consumption. This type of vulnerability falls under the category of memory exhaustion attacks and can be classified as a CWE-400 weakness related to uncontrolled resource consumption.

The operational impact of this vulnerability extends beyond simple performance degradation to potentially system-wide stability issues. Local attackers who can influence the input parameters to the decodeFromByteBuffer method can cause the application to allocate excessive amounts of memory, leading to denial of service conditions, application crashes, or even system resource exhaustion that affects other running processes. The fact that exploit code has been published and is potentially available for use significantly increases the threat level.

Security practitioners should consider this vulnerability in the context of ATT&CK framework category T1499 which covers resource exhaustion attacks and T1059 which encompasses command and control activities that might leverage such memory manipulation techniques. The vulnerability's local attack surface makes it particularly concerning for systems where untrusted data might be processed through histogram decoding functions, especially in applications that handle performance monitoring, logging, or telemetry data from multiple sources.

Mitigation strategies should include immediate patching to version 2.2.3 or later where the memory allocation validation has been addressed. Organizations should also implement input validation controls around any calls to decodeFromByteBuffer methods and consider parameter sanitization for the numberOfSignificantValueDigits argument. Additionally, monitoring systems should be configured to detect unusual memory consumption patterns that might indicate exploitation attempts, particularly in environments where HdrHistogram is used for processing external data streams or telemetry inputs from potentially untrusted sources.

Responsible

VulDB

Disclosure

07/05/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00120

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!