Description
A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-07-04
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in HdrHistogram’s AbstractHistogram.decodeFromCompressedByteBuffer allows an attacker to supply a manipulated lengthOfCompressedContents argument that causes the library to allocate an arbitrarily large amount of memory. The improper handling of this length field is a classic uncontrolled memory allocation (CWE‑400) and high‑level memory consumption (CWE‑789). The resulting out‑of‑memory condition can cause the application to crash or become unresponsive, thereby denying legitimate service to users. All operations are performed within a single process and require the attacker to supply a crafted input, indicating that the primary impact is resource exhaustion rather than direct code execution.

Affected Systems

The vulnerability affects any installation of HdrHistogram up to and including version 2.2.2. Users of the library who rely on AbstractHistogram.decodeFromCompressedByteBuffer for decompressing histogram data are at risk. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 4.8 denotes moderate severity; the exploit requires local access to the process and the attacker must be able to provide a malicious payload to the method. EPSS is currently unavailable, and the flaw is not listed in CISA’s KEV catalog, suggesting limited reported exploitation data. Nonetheless, the local attack vector means an insider or compromised application context could trigger excessive memory consumption, potentially leading to denial of service. The risk remains significant enough to warrant prompt assessment and mitigation.

Generated by OpenCVE AI on July 5, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Reject or reject lengthOfCompressedContents values that exceed a predefined safe threshold before calling decodeFromCompressedByteBuffer to prevent excessive allocation.
  • Validate or sanitize the lengthOfCompressedContents argument within the application logic to ensure it falls within an acceptable range for the deployed system.
  • Plan to upgrade HdrHistogram to a future release once the maintainers provide a patch; meanwhile monitor the project’s issue tracker for updates and apply any available workarounds or community fixes.

Generated by OpenCVE AI on July 5, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title HdrHistogram AbstractHistogram.java memory allocation
First Time appeared Hdrhistogram
Hdrhistogram hdrhistogram
Weaknesses CWE-400
CWE-789
CPEs cpe:2.3:a:hdrhistogram:hdrhistogram:*:*:*:*:*:*:*:*
Vendors & Products Hdrhistogram
Hdrhistogram hdrhistogram
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Hdrhistogram Hdrhistogram
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T23:00:10.759Z

Reserved: 2026-07-04T04:39:55.742Z

Link: CVE-2026-14683

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T07:45:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-789

    Memory Allocation with Excessive Size Value