Fedora Account System
Red Hat Associate
Red Hat Customer
A vulnerability was found in HdrHistogram up to 2.2.2. This issue affects the function org.HdrHistogram.DoubleHistogram.recordValue of the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the component Range Check. Performing a manipulation results in incorrect comparison. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
AI BU triage note: CVE-2026-14686 is from the same VulnDB CNA (cna) as sibling CVEs CVE-2026-14683 and CVE-2026-14685, which were both confirmed as 'BOGUS/SPAM FAKE CVE Reports' by the upstream HdrHistogram maintainers. No specific GitHub issue was linked for this CVE, but the same pattern applies (DoubleHistogram.recordValue in Java HdrHistogram). Red Hat CVSS is 3.3/LOW. Pre-existing OSIDB affects on odh-model-registry-job-async-upload-rhel9 and odh-llm-d-inference-scheduler-rhel9 were set to NOTAFFECTED (Vulnerable Code not Present): those images ship the Rust hdrhistogram crate (7.5.4, cargo), which is unaffected by this Java-specific flaw (DoubleHistogram.recordValue). New AFFECTED/DEFER affects were created for odh-trustyai-service-rhel9 and odh-workbench-jupyter-trustyai-cpu-py312-rhel9 across rhoai-2.25, rhoai-3.3, rhoai-3.4 (org.hdrhistogram/HdrHistogram 2.1.12, Maven, in range per CVE reporter claim). No trackers filed (LOW/DEFER).