Source: hdrhistogram Version: 2.1.11-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for hdrhistogram. The issues itself do not really warrant a RC level, but I noticed that the package is at same old version across several releases and should probably get an update for forky at last? CVE-2026-14683[0]: | A vulnerability was detected in HdrHistogram up to 2.2.2. Affected | by this issue is the function | org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of | the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The | manipulation of the argument lengthOfCompressedContents results in | uncontrolled memory allocation. The attack needs to be approached | locally. The exploit is now public and may be used. It is still | unclear if this vulnerability genuinely exists. This issue is | disputed due to the potential lack of crossing of security | boundaries and the pre-requisites for a successful attack. CVE-2026-14684[1]: | A flaw has been found in HdrHistogram up to 2.2.2. This affects the | function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of | the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This | manipulation of the argument numberOfSignificantValueDigits causes | uncontrolled memory allocation. The attack can only be executed | locally. The exploit has been published and may be used. The actual | existence of this vulnerability is currently in question. This issue | is disputed due to the potential lack of crossing of security | boundaries and the pre-requisites for a successful attack. CVE-2026-14685[2]: | A vulnerability has been found in HdrHistogram up to 2.2.2. This | vulnerability affects the function recordValueWithCount of the file | src/main/java/org/HdrHistogram/AbstractHistogram.java of the | component AbstractHistogram. Such manipulation of the argument Count | leads to state issue. The attack can only be performed from a local | environment. The exploit has been disclosed to the public and may be | used. The existence of this vulnerability is still disputed at | present. This issue is disputed due to the potential lack of | crossing of security boundaries and the pre-requisites for a | successful attack. CVE-2026-14686[3]: | A vulnerability was found in HdrHistogram up to 2.2.2. This issue | affects the function org.HdrHistogram.DoubleHistogram.recordValue of | the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the | component Range Check. Performing a manipulation results in | incorrect comparison. The attack is only possible with local access. | The exploit has been made public and could be used. The presence of | this vulnerability remains uncertain at this time. This issue is | disputed due to the potential lack of crossing of security | boundaries and the pre-requisites for a successful attack. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-14683 https://www.cve.org/CVERecord?id=CVE-2026-14683 [1] https://security-tracker.debian.org/tracker/CVE-2026-14684 https://www.cve.org/CVERecord?id=CVE-2026-14684 [2] https://security-tracker.debian.org/tracker/CVE-2026-14685 https://www.cve.org/CVERecord?id=CVE-2026-14685 [3] https://security-tracker.debian.org/tracker/CVE-2026-14686 https://www.cve.org/CVERecord?id=CVE-2026-14686 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
