CVE-2026-14684
Received Received - Intake

Uncontrolled Memory Allocation in HdrHistogram

Vulnerability report for CVE-2026-14684, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hdrhistogram hdrhistogram to 2.2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-14684 affects HdrHistogram versions 2.2.2 and earlier. It is caused by a flaw in the decodeFromByteBuffer() method of the AbstractHistogram class, where unvalidated parameters read from an attacker-controlled ByteBuffer are used directly. Specifically, the numberOfSignificantValueDigits argument is manipulated to cause uncontrolled memory allocation.

This leads to excessive memory allocation because extreme values, such as Long.MAX_VALUE for highestTrackableValue combined with a numberOfSignificantValueDigits of 5, cause the program to allocate a very large countsArray. This can consume significant heap memory and result in an Out-of-Memory (OOM) error.

The attack can only be executed locally and the exploit has been published. The root cause is the lack of bounds validation on these parameters before they are passed to the Histogram constructor.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by causing the affected application to consume excessive memory and potentially crash due to Out-of-Memory errors.

Applications that decode histograms from untrusted or attacker-controlled sources, such as distributed monitoring or metrics collection systems, are particularly at risk.

An attacker with local access can exploit this flaw by providing specially crafted input that triggers large memory allocations, disrupting the availability of the affected service.

Detection Guidance

This vulnerability involves unvalidated parameters in the decodeFromByteBuffer() method of HdrHistogram, which can cause excessive memory allocation leading to Out-of-Memory errors.

Detection can focus on monitoring for abnormal memory usage or Out-of-Memory (OOM) errors in applications using HdrHistogram versions 2.2.2 or earlier, especially those decoding histograms from untrusted sources.

Since the attack is local and triggered by specific malformed ByteBuffer inputs, network detection is limited. Instead, system-level monitoring for processes consuming unusually high heap memory or crashing due to OOM can help identify exploitation attempts.

Suggested commands include:

  • Use Java process monitoring tools like jcmd or jmap to check heap usage: `jcmd <pid> GC.heap_info` or `jmap -heap <pid>`
  • Monitor system logs for OutOfMemoryError exceptions related to Java processes: `grep -i 'OutOfMemoryError' /var/log/*`
  • Use system monitoring tools to detect high memory usage: `top`, `htop`, or `ps aux --sort=-rss | head`
  • If possible, instrument the application to log or alert when decodeFromByteBuffer() is called with suspicious parameters or unusually large payloads.
Mitigation Strategies

Immediate mitigation involves preventing exploitation of the unvalidated parameters in the decodeFromByteBuffer() method that cause excessive memory allocation.

Since the vulnerability can only be exploited locally, restricting local access to the affected application or service is a key step.

  • Limit or control local user permissions to prevent unauthorized users from executing the vulnerable code.
  • Monitor and restrict inputs to the decodeFromByteBuffer() method to ensure parameters like highestTrackableValue and numberOfSignificantValueDigits are within safe bounds.
  • Apply any available patches or updates from the HdrHistogram project once released that add proper bounds validation.
  • If patching is not immediately possible, consider implementing input validation or sandboxing around the vulnerable code to prevent excessive memory allocation.
  • Monitor application logs and system metrics for signs of exploitation attempts, such as sudden spikes in memory usage or OOM errors.
Compliance Impact

The provided information does not specify any direct impact of the vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart