<Vulnerability name="CVE-2026-14686">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-05T00:00:10</PublicDate>
    <Bugzilla id="2497105" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497105" xml:lang="en:us">
HdrHistogram: HdrHistogram: Data integrity impact due to incorrect comparison
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>3.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-839</CWE>
    <Details xml:lang="en:us" source="Mitre">
A vulnerability was found in HdrHistogram up to 2.2.2. This issue affects the function org.HdrHistogram.DoubleHistogram.recordValue of the file src/main/java/org/HdrHistogram/DoubleHistogram.java of the component Range Check. Performing a manipulation results in incorrect comparison. The attack is only possible with local access. The exploit has been made public and could be used. The presence of this vulnerability remains uncertain at this time. This issue is disputed due to the potential lack of crossing of security boundaries and the pre-requisites for a successful attack.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in HdrHistogram. This vulnerability affects the `DoubleHistogram.recordValue` function, which is part of the Range Check component. A local attacker can exploit this flaw by performing a specific manipulation, leading to an incorrect comparison of values. This issue primarily impacts data integrity.
    </Details>
    <Statement xml:lang="en:us">
Low: This HdrHistogram flaw enables a local attacker to manipulate data, resulting in incorrect value comparisons and a data integrity impact. The requirement for local system access significantly reduces the overall exposure and risk for Red Hat products.
    </Statement>
    <AffectedRelease impact="low" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-18T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:26989">RHSA-2026:26989</Advisory>
        <Package name="netavark-main">netavark-main-2.0.0-1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease impact="low" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-02T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34975">RHSA-2026:34975</Advisory>
        <Package name="rust-main">rust-main-1.96.1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:logging:6">
        <ProductName>Logging Subsystem for Red Hat OpenShift</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-logging/vector-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-lightspeed/lightspeed-ocp-rag-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-service-mesh/istio-ztunnel-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-25/lightspeed-chatbot-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>HdrHistogram</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-llm-d-inference-scheduler-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-model-registry-job-async-upload-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-trustyai-service-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>conmon-rs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_update_service:5">
        <ProductName>Red Hat OpenShift Update Service</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-update-service/openshift-update-service-rhel8</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14686
https://nvd.nist.gov/vuln/detail/CVE-2026-14686
https://github.com/HdrHistogram/HdrHistogram/
https://github.com/HdrHistogram/HdrHistogram/issues/222
https://vuldb.com/cve/CVE-2026-14686
https://vuldb.com/submit/846762
https://vuldb.com/vuln/376282
https://vuldb.com/vuln/376282/cti
    </References>
</Vulnerability>