CVE-2026-14685
Linux Debian Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-14685 is an improper input validation vulnerability in HdrHistogram's AbstractHistogram component that allows a local attacker to corrupt the histogram's internal state by passing negative values to the recordValueWithCount() function. It affects HdrHistogram versions 2.2.0, 2.2.1, and 2.2.2 (all versions up to and including 2.2.2). The vulnerability was reported via a GitHub issue on June 3, 2026, and published to NVD on July 5, 2026. The CVE was assigned by VulDB and carries a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 score of 1.9 (Low) (Github Advisory, VulDB).

Détails techniques

The root cause is improper input validation (CWE-20 per the issue reporter; CWE-371 State Issues per NVD/VulDB) in the public method recordValueWithCount(long value, long count) located in src/main/java/org/HdrHistogram/AbstractHistogram.java (lines 478–480). The method passes the count parameter directly to recordCountAtValue() without checking whether it is positive, allowing negative values to be applied to internal counters. Exploitation requires local access and low privileges — an attacker (or malicious input source) with the ability to call this method can supply a negative count argument, causing totalCount and individual bucket counts to become negative, which corrupts percentile and mean calculations. A proof-of-concept demonstrating the issue has been publicly disclosed via the GitHub issue tracker (GitHub Issue #221).

Impact

Successful exploitation results in corruption of the histogram's internal state, including negative totalCount and negative per-bucket counts, which causes percentile calculations (e.g., p50, p99) and mean values to return incorrect or zero results. There is no confidentiality or availability impact; the impact is limited to integrity of monitoring and metrics data. In applications that expose histogram recording to external input — such as metrics ingestion APIs, monitoring agents, or distributed histogram aggregation systems — an attacker could suppress SLA violations, fabricate request rate data, or disable threshold-based alerting by injecting negative counts at targeted latency buckets (GitHub Issue #221, Github Advisory).

Étapes d’exploitation

  1. Identify a target application: Locate an application that uses HdrHistogram ≤ 2.2.2 and exposes a metrics ingestion or histogram recording interface that accepts externally controlled value and count parameters.
  2. Gain local access or API access: Obtain low-privileged local access to the system or access to a network-exposed metrics API that internally calls recordValueWithCount().
  3. Craft a malicious call: Invoke recordValueWithCount(targetValue, negativeCount) with a negative count argument, for example: histogram.recordValueWithCount(1000, -5);
  4. Observe state corruption: Verify that histogram.getTotalCount() returns a negative value and that getCountAtValue(targetValue) is negative, confirming corruption.
  5. Achieve monitoring manipulation: With corrupted state, percentile queries (e.g., getValueAtPercentile(99.0)) return 0 or incorrect values, effectively suppressing high-latency alerts or SLA violation detection (GitHub Issue #221).

Indicateurs de compromis

  • Application Logs: Unexpected negative values returned by histogram metrics APIs (e.g., totalCount < 0, p99 = 0.0 when traffic is known to be present); Java exceptions such as ArrayIndexOutOfBoundsException from histogram internals.
  • Monitoring Dashboards: Sudden drops in reported percentile values (p50, p95, p99) to zero or near-zero without a corresponding drop in actual traffic; totalCount metrics reporting negative numbers.
  • Code/API Audit: Calls to recordValueWithCount() with externally controlled parameters that are not validated for positivity before being passed to the histogram (GitHub Issue #221).

Atténuation et solutions de contournement

The recommended remediation is to update HdrHistogram to a version beyond 2.2.2 that includes input validation for the count parameter. A patch is available via the GitHub Advisory (GHSA-j3mx-fh6g-v48r), though the upstream project had not yet responded to the issue report at time of disclosure. As a workaround, developers should add explicit validation before calling recordValueWithCount(), throwing an IllegalArgumentException if count <= 0. Additionally, restrict local access and privileges to any code paths that invoke this function, and validate all inputs passed to histogram recording interfaces, particularly from external or untrusted sources (Github Advisory, GitHub Issue #221).

Réactions de la communauté

The vulnerability was reported by user sara11h via a GitHub issue on June 3, 2026, with a detailed write-up including a proof-of-concept and CVSS scoring. As of the disclosure date, the HdrHistogram project maintainers had not responded to the issue. No significant broader media coverage, vendor statements, or notable researcher commentary beyond the original issue report have been identified (GitHub Issue #221).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Linux Debian Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-14686LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 05, 2026
CVE-2026-14685LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 05, 2026
CVE-2026-14684LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 05, 2026
CVE-2026-14683LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 04, 2026
CVE-2026-14570NONEN/A
  • Linux Debian logoLinux Debian
  • libcrypt-dsa-perl
NonNonJul 05, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités