Source: hdrhistogram
Version: 2.1.11-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for hdrhistogram.

The issues itself do not really warrant a RC level, but I noticed that
the package is at same old version across several releases and should
probably get an update for forky at last?

CVE-2026-14683[0]:
| A vulnerability was detected in HdrHistogram up to 2.2.2. Affected
| by this issue is the function
| org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of
| the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The
| manipulation of the argument lengthOfCompressedContents results in
| uncontrolled memory allocation. The attack needs to be approached
| locally. The exploit is now public and may be used. It is still
| unclear if this vulnerability genuinely exists. This issue is
| disputed due to the potential lack of crossing of security
| boundaries and the pre-requisites for a successful attack.


CVE-2026-14684[1]:
| A flaw has been found in HdrHistogram up to 2.2.2. This affects the
| function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of
| the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This
| manipulation of the argument numberOfSignificantValueDigits causes
| uncontrolled memory allocation. The attack can only be executed
| locally. The exploit has been published and may be used. The actual
| existence of this vulnerability is currently in question. This issue
| is disputed due to the potential lack of crossing of security
| boundaries and the pre-requisites for a successful attack.


CVE-2026-14685[2]:
| A vulnerability has been found in HdrHistogram up to 2.2.2. This
| vulnerability affects the function recordValueWithCount of the file
| src/main/java/org/HdrHistogram/AbstractHistogram.java of the
| component AbstractHistogram. Such manipulation of the argument Count
| leads to state issue. The attack can only be performed from a local
| environment. The exploit has been disclosed to the public and may be
| used. The existence of this vulnerability is still disputed at
| present. This issue is disputed due to the potential lack of
| crossing of security boundaries and the pre-requisites for a
| successful attack.


CVE-2026-14686[3]:
| A vulnerability was found in HdrHistogram up to 2.2.2. This issue
| affects the function org.HdrHistogram.DoubleHistogram.recordValue of
| the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the
| component Range Check. Performing a manipulation results in
| incorrect comparison. The attack is only possible with local access.
| The exploit has been made public and could be used. The presence of
| this vulnerability remains uncertain at this time. This issue is
| disputed due to the potential lack of crossing of security
| boundaries and the pre-requisites for a successful attack.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-14683
    https://www.cve.org/CVERecord?id=CVE-2026-14683
[1] https://security-tracker.debian.org/tracker/CVE-2026-14684
    https://www.cve.org/CVERecord?id=CVE-2026-14684
[2] https://security-tracker.debian.org/tracker/CVE-2026-14685
    https://www.cve.org/CVERecord?id=CVE-2026-14685
[3] https://security-tracker.debian.org/tracker/CVE-2026-14686
    https://www.cve.org/CVERecord?id=CVE-2026-14686

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
[email protected] for discussions and questions.

Reply via email to