
PEACH
Un cadre d’isolation des locataires
CVE-2026-14685 is an improper input validation vulnerability in HdrHistogram's AbstractHistogram component that allows a local attacker to corrupt the histogram's internal state by passing negative values to the recordValueWithCount() function. It affects HdrHistogram versions 2.2.0, 2.2.1, and 2.2.2 (all versions up to and including 2.2.2). The vulnerability was reported via a GitHub issue on June 3, 2026, and published to NVD on July 5, 2026. The CVE was assigned by VulDB and carries a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 score of 1.9 (Low) (Github Advisory, VulDB).
The root cause is improper input validation (CWE-20 per the issue reporter; CWE-371 State Issues per NVD/VulDB) in the public method recordValueWithCount(long value, long count) located in src/main/java/org/HdrHistogram/AbstractHistogram.java (lines 478–480). The method passes the count parameter directly to recordCountAtValue() without checking whether it is positive, allowing negative values to be applied to internal counters. Exploitation requires local access and low privileges — an attacker (or malicious input source) with the ability to call this method can supply a negative count argument, causing totalCount and individual bucket counts to become negative, which corrupts percentile and mean calculations. A proof-of-concept demonstrating the issue has been publicly disclosed via the GitHub issue tracker (GitHub Issue #221).
Successful exploitation results in corruption of the histogram's internal state, including negative totalCount and negative per-bucket counts, which causes percentile calculations (e.g., p50, p99) and mean values to return incorrect or zero results. There is no confidentiality or availability impact; the impact is limited to integrity of monitoring and metrics data. In applications that expose histogram recording to external input — such as metrics ingestion APIs, monitoring agents, or distributed histogram aggregation systems — an attacker could suppress SLA violations, fabricate request rate data, or disable threshold-based alerting by injecting negative counts at targeted latency buckets (GitHub Issue #221, Github Advisory).
value and count parameters.recordValueWithCount().recordValueWithCount(targetValue, negativeCount) with a negative count argument, for example: histogram.recordValueWithCount(1000, -5);histogram.getTotalCount() returns a negative value and that getCountAtValue(targetValue) is negative, confirming corruption.getValueAtPercentile(99.0)) return 0 or incorrect values, effectively suppressing high-latency alerts or SLA violation detection (GitHub Issue #221).totalCount < 0, p99 = 0.0 when traffic is known to be present); Java exceptions such as ArrayIndexOutOfBoundsException from histogram internals.totalCount metrics reporting negative numbers.recordValueWithCount() with externally controlled parameters that are not validated for positivity before being passed to the histogram (GitHub Issue #221).The recommended remediation is to update HdrHistogram to a version beyond 2.2.2 that includes input validation for the count parameter. A patch is available via the GitHub Advisory (GHSA-j3mx-fh6g-v48r), though the upstream project had not yet responded to the issue report at time of disclosure. As a workaround, developers should add explicit validation before calling recordValueWithCount(), throwing an IllegalArgumentException if count <= 0. Additionally, restrict local access and privileges to any code paths that invoke this function, and validate all inputs passed to histogram recording interfaces, particularly from external or untrusted sources (Github Advisory, GitHub Issue #221).
The vulnerability was reported by user sara11h via a GitHub issue on June 3, 2026, with a detailed write-up including a proof-of-concept and CVSS scoring. As of the disclosure date, the HdrHistogram project maintainers had not responded to the issue. No significant broader media coverage, vendor statements, or notable researcher commentary beyond the original issue report have been identified (GitHub Issue #221).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."