Description
A vulnerability was found in HdrHistogram up to 2.2.2. This issue affects the function org.HdrHistogram.DoubleHistogram.recordValue of the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the component Range Check. Performing a manipulation results in incorrect comparison. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-07-05
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the HdrHistogram library, affecting versions up to 2.2.2, where the org.HdrHistogram.DoubleHistogram.recordValue method performs an incorrect comparison during range checking. This flaw allows a local attacker to manipulate input values such that the histogram records inaccurate data, potentially compromising data integrity in any component that relies on precise frequency counts.

Affected Systems

The affected product is the HdrHistogram open‑source library, specifically builds 2.2.2 and earlier. No vendor‑specified versions are listed beyond the open‑source repository; any application embedding this library during that release window is potentially impacted.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderately low severity, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access where the attacker can invoke recordValue, so the risk is confined to environments where code with local privileges can be run. While the issue is publicly disclosed, the project has not yet released a patch, which increases the window of exposure.

Generated by OpenCVE AI on July 5, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HdrHistogram library to a release where the recordValue range check bug is corrected (for example, 2.3.0 or later).
  • If an upgrade cannot be performed immediately, add defensive checks around recordValue to verify that the supplied value falls within the acceptable range before passing it to the library, mitigating the incorrect comparison logic.
  • Restrict local access to code paths that use the vulnerable library, and isolate the histogram usage from untrusted data sources, reducing the possibility of exploitation.

Generated by OpenCVE AI on July 5, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in HdrHistogram up to 2.2.2. This issue affects the function org.HdrHistogram.DoubleHistogram.recordValue of the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the component Range Check. Performing a manipulation results in incorrect comparison. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title HdrHistogram Range Check DoubleHistogram.java org.HdrHistogram.DoubleHistogram.recordValue comparison
First Time appeared Hdrhistogram
Hdrhistogram hdrhistogram
Weaknesses CWE-697
CPEs cpe:2.3:a:hdrhistogram:hdrhistogram:*:*:*:*:*:*:*:*
Vendors & Products Hdrhistogram
Hdrhistogram hdrhistogram
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Hdrhistogram Hdrhistogram
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-05T00:00:10.233Z

Reserved: 2026-07-04T04:40:18.249Z

Link: CVE-2026-14686

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T07:45:03Z

Weaknesses