Denial of Service via uncontrolled memory allocation
Summary
A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. A local attacker can exploit a vulnerability in the `decodeFromCompressedByteBuffer` function by manipulating the `lengthOfCompressedContents` argument. Low impact. This issue requires local access and results in resource exhaustion, not arbitrary code execution or data compromise. Red Hat severity: Low — CVSS 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). Weakness: CWE-770. Affected Red Hat products: Red Hat Enterprise Linux 8; Red Hat Hardened Images; Red Hat OpenShift AI (RHOAI). Under investigation: Red Hat Ansible Automation Platform 2. Red Hat lists Logging Subsystem for Red Hat OpenShift; OpenShift Lightspeed; OpenShift Service Mesh 3; Red Hat OpenShift AI (RHOAI); Red Hat OpenShift Container Platform 4; Red Hat OpenShift Update Service as not affected. Red Hat does not currently list a fixing RHSA for this CVE.
- 2.2.2
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.