<Vulnerability name="CVE-2026-14684">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-04T23:30:10</PublicDate>
    <Bugzilla id="2497103" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497103" xml:lang="en:us">
org.hdrhistogram/HdrHistogram: HdrHistogram: HdrHistogram: Denial of Service via uncontrolled memory allocation in decodeFromByteBuffer
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>5.0</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-770</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. The actual existence of this vulnerability is currently in question. This issue is disputed due to the potential lack of crossing of security boundaries and the pre-requisites for a successful attack.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in HdrHistogram. A local attacker can exploit a vulnerability in the `decodeFromByteBuffer` function by manipulating the `numberOfSignificantValueDigits` argument. This manipulation leads to uncontrolled memory allocation, which can result in a Denial of Service (DoS) condition, making the affected system or application unavailable.
    </Details>
    <Statement xml:lang="en:us">
Successful exploitation requires local access, as an attacker must be able to supply specially crafted, manipulated input directly to an application that is actively utilizing the affected HdrHistogram library.
The vulnerability is strictly limited to causing a Denial of Service (DoS) via uncontrolled memory allocation. It does not allow an attacker to execute arbitrary code, escalate privileges, or access unauthorized data. 
Furthermore, the impact is localized to the specific application processing the malicious input, rather than causing a broader, system-wide compromise.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <AffectedRelease impact="moderate" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-18T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:26989">RHSA-2026:26989</Advisory>
        <Package name="netavark-main">netavark-main-2.0.0-1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease impact="moderate" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-02T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34975">RHSA-2026:34975</Advisory>
        <Package name="rust-main">rust-main-1.96.1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:logging:6">
        <ProductName>Logging Subsystem for Red Hat OpenShift</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-logging/vector-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-lightspeed/lightspeed-ocp-rag-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-service-mesh/istio-ztunnel-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-25/lightspeed-chatbot-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>HdrHistogram</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-llm-d-inference-scheduler-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-model-registry-job-async-upload-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>conmon-rs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_update_service:5">
        <ProductName>Red Hat OpenShift Update Service</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-update-service/openshift-update-service-rhel8</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14684
https://nvd.nist.gov/vuln/detail/CVE-2026-14684
https://github.com/HdrHistogram/HdrHistogram/
https://github.com/HdrHistogram/HdrHistogram/issues/220
https://vuldb.com/cve/CVE-2026-14684
https://vuldb.com/submit/846754
https://vuldb.com/vuln/376280
https://vuldb.com/vuln/376280/cti
    </References>
</Vulnerability>