PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14683 HdrHistogram CVE debrief

CVE-2026-14683 is a vulnerability detected in HdrHistogram up to 2.2.2. The issue affects the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer in the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Vendor
HdrHistogram
Product
HdrHistogram
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-04
Original CVE updated
2026-07-04
Advisory published
2026-07-04
Advisory updated
2026-07-04

Who should care

Developers and users of HdrHistogram up to 2.2.2 should be aware of this vulnerability and take necessary actions to mitigate the risk. This vulnerability has a low CVSS score of 1.9, indicating a relatively low severity. However, as the exploit is public, it is essential to address this issue promptly.

Technical summary

The vulnerability CVE-2026-14683 is caused by uncontrolled memory allocation in the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer. This issue can be exploited locally, and the exploit is now public. The CVSS vector is CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weaknesses associated with this vulnerability are CWE-400 and CWE-789.

Defensive priority

Given the low CVSS score and the local attack vector, defenders should prioritize patching or mitigating this vulnerability based on their risk assessment. It is essential to monitor for potential exploitation attempts and ensure that compensating controls are in place.

Recommended defensive actions

  • Patch HdrHistogram to a version beyond 2.2.2 if available.
  • Implement compensating controls to limit local exploitation attempts.
  • Monitor for potential exploitation attempts and anomalous activity.
  • Review and update inventory to ensure all affected systems are identified and addressed.
  • Consider applying additional security measures to limit the attack surface.

Evidence notes

The CVE-2026-14683 vulnerability was detected in HdrHistogram up to 2.2.2. The issue affects the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer. The project was informed early but has not responded yet. The exploit is public, and the attack needs to be approached locally. The CVSS score is 1.9, indicating a low severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.