Bug 2497105 (CVE-2026-14686) - CVE-2026-14686 HdrHistogram: HdrHistogram: Data integrity impact due to incorrect comparison
Summary: CVE-2026-14686 HdrHistogram: HdrHistogram: Data integrity impact due to incor...
Keywords:
Status: NEW
Alias: CVE-2026-14686
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2499342
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-05 01:01 UTC by OSIDB Bzimport
Modified: 2026-07-13 03:02 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-05 01:01:33 UTC
A vulnerability was found in HdrHistogram up to 2.2.2. This issue affects the function org.HdrHistogram.DoubleHistogram.recordValue of the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the component Range Check. Performing a manipulation results in incorrect comparison. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Comment 4 Florencio Cano 2026-07-11 11:09:19 UTC
AI BU triage note: CVE-2026-14686 is from the same VulnDB CNA (cna) as sibling CVEs CVE-2026-14683 and CVE-2026-14685, which were both confirmed as 'BOGUS/SPAM FAKE CVE Reports' by the upstream HdrHistogram maintainers. No specific GitHub issue was linked for this CVE, but the same pattern applies (DoubleHistogram.recordValue in Java HdrHistogram). Red Hat CVSS is 3.3/LOW. Pre-existing OSIDB affects on odh-model-registry-job-async-upload-rhel9 and odh-llm-d-inference-scheduler-rhel9 were set to NOTAFFECTED (Vulnerable Code not Present): those images ship the Rust hdrhistogram crate (7.5.4, cargo), which is unaffected by this Java-specific flaw (DoubleHistogram.recordValue). New AFFECTED/DEFER affects were created for odh-trustyai-service-rhel9 and odh-workbench-jupyter-trustyai-cpu-py312-rhel9 across rhoai-2.25, rhoai-3.3, rhoai-3.4 (org.hdrhistogram/HdrHistogram 2.1.12, Maven, in range per CVE reporter claim). No trackers filed (LOW/DEFER).


Note You need to log in before you can comment on or make changes to this bug.