Bug 2497103 (CVE-2026-14684)

Summary: CVE-2026-14684 org.hdrhistogram/HdrHistogram: HdrHistogram: HdrHistogram: Denial of Service via uncontrolled memory allocation in decodeFromByteBuffer
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anpicker, bparees, dschmidt, hasun, jcantril, jfula, jkoehler, jlanda, jowilson, kshier, lphiri, nyancey, ometelka, ptisnovs, rhel-process-autobot, rojacob, simaishi, stcannon, syedriko, teagle, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in HdrHistogram. A local attacker can exploit a vulnerability in the `decodeFromByteBuffer` function by manipulating the `numberOfSignificantValueDigits` argument. This manipulation leads to uncontrolled memory allocation, which can result in a Denial of Service (DoS) condition, making the affected system or application unavailable.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2497428    
Bug Blocks:    

Description OSIDB Bzimport 2026-07-05 00:01:49 UTC
A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.