
PEACH
Un cadre d’isolation des locataires
CVE-2026-14684 is an uncontrolled memory allocation vulnerability in HdrHistogram (Java implementation) versions up to and including 2.2.2, affecting the org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer() function in src/main/java/org/HdrHistogram/AbstractHistogram.java. The flaw was reported via a GitHub issue on June 3, 2026, and published to the NVD on July 5, 2026; the project maintainers had not responded at time of disclosure (Github Advisory, GitHub Issue). The vulnerability carries a CVSS v3.1 base score of 3.3 (Low) as assessed by VulDB, though the original reporter argued for a score of 7.5 (High) under a network-exploitable scenario (Github Advisory).
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-789 (Memory Allocation with Excessive Size Value). In decodeFromByteBuffer(), the parameters highestTrackableValue and numberOfSignificantValueDigits are read directly from an attacker-controlled ByteBuffer and passed without bounds validation to the Histogram constructor via reflection (at approximately line 2128 of AbstractHistogram.java). Setting highestTrackableValue to Long.MAX_VALUE and numberOfSignificantValueDigits to 5 causes the constructor to compute a countsArray of over 6 million entries (~47MB per histogram), which can exhaust JVM heap memory and trigger an OutOfMemoryError. A proof-of-concept demonstrating this behavior has been publicly published (GitHub Issue).
Successful exploitation results in a denial-of-service condition through heap exhaustion in the affected Java application. There is no confidentiality or integrity impact — the vulnerability is limited to availability. Applications most at risk are distributed monitoring systems, metrics aggregation services, and tracing backends that decode histogram data from untrusted sources, where a small crafted serialized payload (~40 bytes) can force allocation of tens to hundreds of megabytes of heap memory per decode operation (GitHub Issue).
ByteBuffer (e.g., a distributed metrics aggregation service or tracing backend).ByteBuffer with extreme parameter values — specifically highestTrackableValue = Long.MAX_VALUE (or a very large value such as 1e18) and numberOfSignificantValueDigits = 5.AbstractHistogram.decodeFromByteBuffer(), which reads the attacker-controlled parameters and passes them without validation to the Histogram constructor via reflection (line ~2128 of AbstractHistogram.java).countsArray of 6+ million entries (~47MB or more per call). Repeated invocations or a single call on a JVM with limited heap (e.g., -Xmx32m) triggers OutOfMemoryError, crashing or hanging the application (GitHub Issue).java.lang.OutOfMemoryError: Java heap space originating from org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer() or the Histogram constructor.highestTrackableValue or numberOfSignificantValueDigits in applications that accept histogram data over the network or from external sources.No official patch has been released by the HdrHistogram maintainers as of the disclosure date, and the project had not responded to the issue report (Github Advisory). Recommended interim mitigations include: (1) adding input validation on numberOfSignificantValueDigits (valid range: 0–5) and highestTrackableValue (enforce a safe maximum, e.g., 24 * 3600 * 1_000_000_000L) before invoking decodeFromByteBuffer(); (2) applying JVM-level heap limits and monitoring to constrain the blast radius of any OOM event; (3) restricting local and network access to systems that process untrusted histogram buffers; and (4) evaluating alternative histogram libraries if a patch remains unavailable (GitHub Issue).
The vulnerability was reported by researcher sara11h via a GitHub issue on June 3, 2026, with a detailed write-up including PoC code and a CVSS scoring rationale arguing for a High severity rating (7.5) based on network exploitability in distributed monitoring contexts — notably higher than VulDB's Low (3.3) assessment (GitHub Issue). The discrepancy in severity scoring reflects differing assumptions about the attack vector: VulDB scored it as local-only, while the reporter demonstrated that applications decoding histogram data from network sources could be exploited remotely. No significant media coverage or vendor statements beyond the GitHub issue and VulDB entry have been observed.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."