Impact
A flaw in HdrHistogram’s AbstractHistogram.decodeFromCompressedByteBuffer allows an attacker to supply a manipulated lengthOfCompressedContents argument that causes the library to allocate an arbitrarily large amount of memory. The improper handling of this length field is a classic uncontrolled memory allocation (CWE‑400) and high‑level memory consumption (CWE‑789). The resulting out‑of‑memory condition can cause the application to crash or become unresponsive, thereby denying legitimate service to users. All operations are performed within a single process and require the attacker to supply a crafted input, indicating that the primary impact is resource exhaustion rather than direct code execution.
Affected Systems
The vulnerability affects any installation of HdrHistogram up to and including version 2.2.2. Users of the library who rely on AbstractHistogram.decodeFromCompressedByteBuffer for decompressing histogram data are at risk. No other products or versions are listed as affected.
Risk and Exploitability
The CVSS score of 4.8 denotes moderate severity; the exploit requires local access to the process and the attacker must be able to provide a malicious payload to the method. EPSS is currently unavailable, and the flaw is not listed in CISA’s KEV catalog, suggesting limited reported exploitation data. Nonetheless, the local attack vector means an insider or compromised application context could trigger excessive memory consumption, potentially leading to denial of service. The risk remains significant enough to warrant prompt assessment and mitigation.
OpenCVE Enrichment