Bug 2497102 (CVE-2026-14683) - CVE-2026-14683 HdrHistogram: HdrHistogram: Denial of Service via uncontrolled memory allocation
Summary: CVE-2026-14683 HdrHistogram: HdrHistogram: Denial of Service via uncontrolled...
Keywords:
Status: NEW
Alias: CVE-2026-14683
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2499341
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-05 00:01 UTC by OSIDB Bzimport
Modified: 2026-07-13 03:04 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-05 00:01:45 UTC
A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Comment 2 Florencio Cano 2026-07-11 10:59:38 UTC
AI BU triage note: The upstream HdrHistogram project closed the referenced GitHub issue (https://github.com/HdrHistogram/HdrHistogram/issues/219) as 'BOGUS/SPAM FAKE CVE Report'. NVD status is 'Deferred'. Red Hat CVSS is 3.3/LOW. Pre-existing OSIDB affects on odh-model-registry-job-async-upload-rhel9 and odh-llm-d-inference-scheduler-rhel9 were set to NOTAFFECTED (Vulnerable Code not Present): those images ship the Rust hdrhistogram crate (7.5.4, cargo), which is a separate implementation unaffected by this Java-specific flaw (AbstractHistogram.java:2275-2281, decodeFromCompressedByteBuffer). New AFFECTED/DEFER affects were created for odh-trustyai-service-rhel9 and odh-workbench-jupyter-trustyai-cpu-py312-rhel9 across rhoai-2.25, rhoai-3.3, rhoai-3.4, which ship org.hdrhistogram/HdrHistogram 2.1.12 (Maven, in range per CVE reporter's claim of '2.2.2 and earlier'). No trackers filed (LOW/DEFER).


Note You need to log in before you can comment on or make changes to this bug.