CVE-2026-14686
Received Received - Intake

DoubleHistogram Range Check Comparison Vulnerability

Vulnerability report for CVE-2026-14686, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was found in HdrHistogram up to 2.2.2. This issue affects the function org.HdrHistogram.DoubleHistogram.recordValue of the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the component Range Check. Performing a manipulation results in incorrect comparison. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hdrhistogram hdrhistogram to 2.2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14686 is a vulnerability in the HdrHistogram library, specifically in the DoubleHistogram.recordValue(double value) method in versions up to 2.2.2.

The issue occurs because the method does not properly validate special IEEE 754 double values like NaN (Not-a-Number) and Infinity. When NaN is passed, it bypasses the range checks since comparisons involving NaN always return false.

As a result, NaN values slip through validation and are cast to 0L when converted to a long, causing a phantom count to be recorded at bucket 0. This silently corrupts the histogram data, affecting all subsequent percentile and mean calculations without any exceptions or error logs.

The vulnerability requires local access to exploit and has been publicly disclosed. The fix involves explicitly checking for NaN and Infinity values and throwing an IllegalArgumentException if such values are detected.

Impact Analysis

This vulnerability can impact any application using the HdrHistogram DoubleHistogram.recordValue() method with external double values, such as latency recordings from network data or metrics from external systems.

Because NaN values bypass validation and corrupt the histogram silently, the recorded data becomes inaccurate. This leads to incorrect percentile and mean calculations, which can mislead performance monitoring, analysis, or decision-making processes relying on this data.

Since the corruption is silent and does not raise exceptions or logs, it can be difficult to detect, potentially causing prolonged data integrity issues.

The attack requires local access, so the risk depends on the environment and who can execute code locally.

Detection Guidance

This vulnerability involves the HdrHistogram library's DoubleHistogram.recordValue method improperly handling NaN and Infinity values, which silently corrupts histogram data without exceptions or logs.

Detection involves checking if your application or system is using HdrHistogram version 2.2.2 or earlier and if it processes external double values that might include NaN or Infinity.

Since the issue is local and affects internal data handling, network-based detection commands are not applicable.

To detect the vulnerability on your system, you can:

  • Check the version of HdrHistogram used in your application dependencies (e.g., using Maven or Gradle commands for Java projects).
  • Review application logs or code to identify usage of DoubleHistogram.recordValue with external double inputs.
  • Add instrumentation or debugging to detect if NaN or Infinity values are passed to recordValue, which should not happen in a fixed version.
  • Use static code analysis or grep commands to find calls to recordValue in your codebase, for example: `grep -r 'recordValue' ./src`.
Mitigation Strategies

Immediate mitigation involves preventing NaN and Infinity values from being passed to the DoubleHistogram.recordValue method.

Since the vulnerability requires local access and manipulation of input values, ensure that inputs to the histogram are validated before recording.

  • Update HdrHistogram to a version that includes the fix which explicitly checks for NaN and Infinity and throws an IllegalArgumentException.
  • If an updated version is not yet available, implement input validation in your application code to reject or sanitize NaN and Infinity values before calling recordValue.
  • Restrict local access to systems running vulnerable versions to trusted users only.
  • Monitor application behavior for unexpected histogram results or anomalies in percentile and mean calculations, which may indicate exploitation.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14686. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart