PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14685 HdrHistogram CVE debrief

A vulnerability has been found in HdrHistogram up to 2.2.2. This vulnerability affects the function recordValueWithCount of the file src/main/java/org/HdrHistogram/AbstractHistogram.java of the component AbstractHistogram. Such manipulation of the argument Count leads to state issue. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. This issue is disputed due to the potential lack of crossing of security boundaries and the pre-requisites for a successful attack.

Vendor
HdrHistogram
Product
HdrHistogram
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-05
Original CVE updated
2026-07-16
Advisory published
2026-07-05
Advisory updated
2026-07-16

Who should care

Users of HdrHistogram up to 2.2.2 should review and apply patches or mitigations as available. Security teams and developers integrating HdrHistogram into their projects should assess the risk and implement compensating controls if patches are not immediately feasible.

Technical summary

The vulnerability affects the recordValueWithCount function in AbstractHistogram.java of HdrHistogram up to 2.2.2. Manipulation of the Count argument leads to a state issue. The attack requires local access and its existence is disputed due to potential lack of security boundary crossing and specific prerequisites for a successful attack. Users should review the official CVE record and NVD details for further information.

Defensive priority

Low priority due to local attack vector and disputed existence

Recommended defensive actions

  • Review and apply patches or updates for HdrHistogram as they become available
  • Implement compensating controls to monitor and restrict access to sensitive components
  • Conduct thorough inventory checks to identify affected systems and components
  • Enhance monitoring and exception tracking for unusual activity related to HdrHistogram
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-05T00:17:35.610Z and was last modified on 2026-07-16T08:16:17.687Z. The NVD entry is currently Deferred. The vulnerability has been disclosed publicly and its existence is disputed.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-05T00:17:35.610Z and has not been modified since then. The NVD entry is currently Deferred.