CVE-2026-14685
Received Received - Intake

Integer Overflow in HdrHistogram Java Library

Vulnerability report for CVE-2026-14685, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability has been found in HdrHistogram up to 2.2.2. This vulnerability affects the function recordValueWithCount of the file src/main/java/org/HdrHistogram/AbstractHistogram.java of the component AbstractHistogram. Such manipulation of the argument Count leads to state issue. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hdrhistogram hdrhistogram to 2.2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-371

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-14685 vulnerability affects the HdrHistogram library, specifically versions 2.2.2 and earlier. It exists in the recordValueWithCount() method of the AbstractHistogram class, where the count parameter is not properly validated.

This lack of validation allows an attacker to pass negative values for the count, which corrupts the internal state of the histogram by manipulating the totalCount and individual bucket values.

Such manipulation can lead to incorrect calculations of percentiles and means within the histogram data.

Impact Analysis

Exploiting this vulnerability can corrupt monitoring data by injecting negative counts, which affects the accuracy of metrics such as latency measurements and request rates.

  • It can suppress SLA violation detection by hiding high-latency measurements.
  • It can falsify request rate metrics, leading to misleading performance data.
  • It can disable threshold-based alerts, causing failures or issues to go unnoticed.

Overall, this can lead to incorrect alerting decisions and degraded monitoring reliability.

Detection Guidance

This vulnerability can be detected by monitoring for abnormal or corrupted histogram data, such as negative total counts or inconsistent percentile calculations in the HdrHistogram metrics.

Specifically, detection involves checking the integrity of the histogram data produced by the `recordValueWithCount()` method, looking for negative or manipulated count values that should not occur under normal operation.

Since the exploit involves injecting negative counts through metrics APIs or monitoring agent data receivers, commands or scripts that query these metrics endpoints and validate the count values can help detect exploitation attempts.

However, no specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation involves validating and sanitizing the `count` parameter before it is processed by the `recordValueWithCount()` method to ensure only positive values are accepted.

Restrict access to the metrics APIs or monitoring agent data receivers to trusted local environments only, as the attack requires local access.

Monitor histogram data for signs of corruption such as negative total counts or inconsistent percentile calculations to detect exploitation attempts early.

Since the project has not yet responded with a patch, consider implementing input validation as a temporary fix or applying any available updates once released.

Compliance Impact

The vulnerability in HdrHistogram allows manipulation of monitoring data by injecting negative counts, which can corrupt histogram state and falsify performance metrics such as latency measurements and request rates.

Such manipulation could potentially impact compliance with standards and regulations like GDPR or HIPAA if these rely on accurate monitoring and alerting for system performance, availability, or security incident detection.

However, there is no explicit information in the provided context or resources about direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart