CVE-2026-14686
Linux Debian Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-14686 is an incorrect comparison vulnerability in the DoubleHistogram.recordValue() function of HdrHistogram, a Java library for high dynamic range histogram recording. The flaw exists in src/main/java/org/HdrHistogram/DoubleHistogram.java (lines 333–334) and affects HdrHistogram versions 2.2.0 through 2.2.2. It was reported via a GitHub issue on June 3, 2026, and publicly disclosed on July 5, 2026, with the project maintainers not yet having responded. The vulnerability carries a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 base score of 1.9 (Low) (Github Advisory, GitHub Issue).

Détails techniques

The root cause is classified as CWE-697 (Incorrect Comparison): the range check in DoubleHistogram.recordValue() uses standard Java comparison operators (< and >=), which per IEEE 754 semantics always return false when either operand is NaN. This means passing Double.NaN as a value silently bypasses the boundary validation entirely. Subsequently, the cast (long)(NaN * conversionRatio) evaluates to 0L in Java, causing a phantom count to be recorded at bucket index 0 and corrupting all downstream statistical calculations (percentiles, mean, total count). A proof-of-concept demonstrating the bypass has been publicly disclosed in the GitHub issue (GitHub Issue). The attack requires local access and low privileges — an attacker must be able to supply input values to an application that passes them to DoubleHistogram.recordValue().

Impact

Successful exploitation results in silent data integrity corruption of histogram statistics — no exception is thrown, no error is logged, and the application continues operating with subtly wrong data. All percentile calculations (p50, p95, p99), mean values, and total counts derived from the affected histogram become unreliable after a single NaN injection. In monitoring or observability systems built on HdrHistogram (e.g., latency tracking, performance metrics), this corruption could suppress legitimate performance alerts or distort SLA reporting, with no confidentiality or availability impact (GitHub Issue, Github Advisory).

Étapes d’exploitation

  1. Identify a target application: Locate a Java application that uses HdrHistogram ≤ 2.2.2 and passes externally influenced double values to DoubleHistogram.recordValue() — common in latency monitoring, metrics pipelines, or systems parsing JSON/network data.
  2. Craft a NaN input: Prepare a Double.NaN value for injection. This can arise naturally from computations like 0.0/0.0, or be injected via a data source the application consumes (e.g., a JSON field containing NaN, a malformed metric value).
  3. Deliver the NaN value: Supply the NaN value through the application's input channel (e.g., a network request, a metrics API, a configuration value) such that it reaches the DoubleHistogram.recordValue(Double.NaN) call.
  4. Bypass range check: The comparison (value < currentLowestValueInAutoRange) || (value >= currentHighestValueLimitInAutoRange) evaluates to false || false for NaN per IEEE 754, so the range check is silently bypassed with no exception thrown.
  5. Achieve data corruption: The NaN is cast to 0L, recording a phantom entry at bucket 0. All subsequent statistical queries (mean, percentiles, total count) return corrupted results, potentially suppressing performance alerts or distorting SLA metrics (GitHub Issue).

Indicateurs de compromis

  • Application Behavior: Unexpected increase in totalCount without a corresponding legitimate recorded value; mean or percentile values that shift anomalously toward zero without a change in actual workload.
  • Logs: Absence of any exception or error log from the histogram library despite anomalous statistical output — the corruption is entirely silent by design.
  • Code/Data Audit: Histogram data showing a non-zero count at bucket 0 in contexts where zero-value measurements are not expected; discrepancy between recorded sample count and known input count.
  • Input Sources: Presence of NaN or Infinity string representations in JSON payloads, metric feeds, or configuration files consumed by the application (GitHub Issue).

Atténuation et solutions de contournement

No official patched release has been published by the HdrHistogram maintainers as of the disclosure date, and the project has not yet responded to the issue report. The recommended remediation is to update to a version of HdrHistogram newer than 2.2.2 once a fix is released, or apply the suggested code fix: add an explicit Double.isNaN(value) || Double.isInfinite(value) check at the start of recordValue() that throws an IllegalArgumentException. As an interim workaround, applications should validate all double inputs before passing them to DoubleHistogram.recordValue(), and restrict local access to applications using the vulnerable library. Previously recorded histogram data should be reviewed for potential corruption if untrusted inputs were processed (Github Advisory, GitHub Issue).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Linux Debian Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-14686LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 05, 2026
CVE-2026-14685LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 05, 2026
CVE-2026-14684LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 05, 2026
CVE-2026-14683LOW1.9
  • Linux Debian logoLinux Debian
  • hdrhistogram
NonNonJul 04, 2026
CVE-2026-14570NONEN/A
  • Linux Debian logoLinux Debian
  • libcrypt-dsa-perl
NonNonJul 05, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités