PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14684 HdrHistogram CVE debrief

CVE-2026-14684 is a vulnerability in HdrHistogram that allows for uncontrolled memory allocation. The CVE record was published on 2026-07-05T00:17:35.457Z and has not been modified since then. The NVD entry is currently Deferred. This issue affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java due to manipulation of the argument numberOfSignificantValueDigits. The attack can only be executed locally, and its actual existence is in question due to disputed security boundaries and prerequisites for a successful attack.

Vendor
HdrHistogram
Product
HdrHistogram
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-05
Original CVE updated
2026-07-16
Advisory published
2026-07-05
Advisory updated
2026-07-16

Who should care

Users of HdrHistogram up to version 2.2.2 should be aware of this vulnerability and take necessary precautions. This includes reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. They should also plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Technical summary

A flaw has been found in HdrHistogram up to 2.2.2 in the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. However, the actual existence of this vulnerability is currently in question due to the potential lack of crossing of security boundaries and the pre-requisites for a successful attack.

Defensive priority

Low priority due to local attack vector and disputed existence.

Recommended defensive actions

  • Inventory and verify HdrHistogram version
  • Apply vendor remediation if available
  • Monitor for potential local attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The actual existence of this vulnerability is currently in question. This issue is disputed due to the potential lack of crossing of security boundaries and the pre-requisites for a successful attack. The CVE record was published on 2026-07-05T00:17:35.457Z and has not been modified since then. The NVD entry is currently Deferred. Further verification and review of the affected product scope and vendor guidance are necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-05T00:17:35.457Z and has not been modified since then. The NVD entry is currently Deferred.