Lucene search
K
FacebookHhvm

40 matches found

CVE
CVE
added 2019/12/04 4:25 p.m.586 views

CVE-2019-11936

CVE-2019-11936 affects HHVM: various APC functions accept keys containing null bytes, causing input truncation. Affected versions include HHVM before 3.30.12, 4.0.0–4.8.5, 4.9.0–4.23.1, and 4.24.0–4.28.1. The Connected documents corroborate the same affected version ranges and input-truncation be...

9.8CVSS9.4AI score0.01476EPSS
CVE
CVE
added 2021/03/11 12:55 a.m.222 views

CVE-2020-1899

CVE-2020-1899 affects HHVM: the unserialize() type code "S" (meant for APC serialization) could be misused to access arbitrary memory addresses as static StringData objects. Affected HHVM versions include prior to v4.32.3 and ranges 4.33.0–4.62.0 (inclusive) as listed. Root cause is an inappropri...

7.5CVSS7.5AI score0.01218EPSS
CVE
CVE
added 2021/07/23 12:30 a.m.128 views

CVE-2021-24036

CVE-2021-24036 affects folly and HHVM: a vulnerability in IOBuf handling where passing an attacker-controlled size can trigger an integer overflow, causing an out-of-bounds heap write and potential remote code execution. Affected are folly versions prior to 2021.07.22.00 and HHVM versions prior t...

9.8CVSS9.8AI score0.03284EPSS
CVE
CVE
added 2021/03/11 12:55 a.m.94 views

CVE-2020-1898

CVE-2020-1898 affects Facebook HHVM (HipHop Virtual Machine). The vulnerability arises from fb_unserialize deserializing nested data without a depth limit, enabling a crafted input to cause recursive deserialization and stack exhaustion. Affected HHVM versions include before 4.32.3 and multiple r...

7.5CVSS7.5AI score0.01211EPSS
CVE
CVE
added 2019/09/06 6:46 p.m.92 views

CVE-2019-11926

CVE-2019-11926 involves insufficient boundary checks in the GD extension when processing M_SOFx markers in JPEG headers, allowing out-of-bounds memory access via a crafted JPEG input. Affected software: HHVM (HipHop VM) with affected versions listed across 3.30.x and 4.x lines (prior to 3.30.9, v...

9.8CVSS9.2AI score0.0229EPSS
CVE
CVE
added 2019/09/06 6:46 p.m.91 views

CVE-2019-11925

The CVE-2019-11925 entry concerns insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension of HHVM, allowing access to out-of-bounds memory via crafted JPEG input. Affected HHVM versions include pre-3.30.9 and multiple 4.x releases (4.0.0–4.8.3, 4.9.0–4.15.2, 4...

9.8CVSS9.2AI score0.02084EPSS
CVE
CVE
added 2019/06/26 3:9 p.m.85 views

CVE-2019-3569

HHVM with FastCGI binds to all interfaces by default, enabling potential direct access and information disclosure. Affected: HHVM versions 4.3.0–4.8.0, 3.30.5 and below, and all 4.0, 4.1, 4.2 releases. The provided documents specify the exposure vector and vulnerable version ranges but do not inc...

7.5CVSS7.3AI score0.01489EPSS
CVE
CVE
added 2020/03/03 3:0 p.m.83 views

CVE-2020-1888

CVE-2020-1888 affects HHVM across a wide set of versions, with the root cause being insufficient boundary checks when decoding JSON in handleBackslash, causing reads out of bounds and potential DoS. Impact per sources includes high likelihood of denial of service (CVSSv3.1 base score 7.5; CVSSv2 ...

7.5CVSS7.6AI score0.01148EPSS
CVE
CVE
added 2021/03/11 12:55 a.m.83 views

CVE-2020-1900

HHVM (HipHop VM) has a vulnerability CVE-2020-1900 affecting unserialization of objects with dynamic properties. The issue occurs when HHVM does not pre-reserve the full size of the dynamic property array before inserting into it, causing potential array resizing that can invalidate previously st...

9.8CVSS9.3AI score0.01384EPSS
CVE
CVE
added 2020/03/03 3:0 p.m.82 views

CVE-2020-1892

CVE-2020-1892 affects HHVM and related JSON_parser decoding logic. The issue arises from insufficient boundary checks when decoding JSON, allowing read access to out-of-bounds memory and potentially causing information leaks and denial of service. Affected HHVM versions include 4.45.0 down to 4.3...

8.1CVSS7.7AI score0.01095EPSS
CVE
CVE
added 2020/03/03 3:0 p.m.79 views

CVE-2020-1893

CVE-2020-1893: Insufficient boundary checks when decoding JSON in TryParse leads to out-of-bounds reads and potential DOS in HHVM. Affected versions per provided docs include HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0; versions 4.33.0–4.38.0; versions 4.9.0–4.32.0; and all versio...

7.5CVSS7.6AI score0.01148EPSS
CVE
CVE
added 2019/01/15 10:0 p.m.78 views

CVE-2018-6345

The CVE-2018-6345 entry concerns Facebook HHVM’s number_format function. Concrete details from connected sources show a heap overflow in number_format when the second argument ($dec_points) is excessively large, affecting all supported HHVM versions up to 3.30.1 and 3.27.5 and earlier. The underl...

9.8CVSS9.5AI score0.01748EPSS
CVE
CVE
added 2023/05/10 6:28 p.m.78 views

CVE-2022-36937

HHVM 4.172.0 and earlier versions expose TLS 1.0 in the stream extension when handling tls:// URLs via stream_socket_server/stream_socket_client. TLS 1.0 is deprecated and has reported vulnerabilities; the fixed releases replace TLS 1.0 with TLS 1.3 (HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171...

9.8CVSS9.6AI score0.00527EPSS
CVE
CVE
added 2018/12/31 8:0 p.m.72 views

CVE-2018-6334

CVE-2018-6334 affects HHVM, where multipart-file uploads cause variables to be registered in the global scope. Affects all supported HHVM versions prior to the patch: 3.25.1, 3.24.5, 3.21.9 and below. Reported CVSS: 9.8 (CRITICAL, NETWORK, LOW complexity, no auth). Root cause: improper global reg...

9.8CVSS9.3AI score0.01913EPSS
CVE
CVE
added 2019/04/29 3:32 p.m.72 views

CVE-2019-3561

CVE-2019-3561 affects HHVM: Insufficient boundary checks in the strrpos and strripos functions allow access to out-of-bounds memory. Affected versions include HHVM 4.0.3, 3.30.4, 3.27.7 and below. The NVD entry presents high-severity scores (CVSSv2: 7.5/10; CVSSv3: 9.8/10) with network attack vec...

9.8CVSS9.4AI score0.01711EPSS
CVE
CVE
added 2018/12/03 2:0 p.m.71 views

CVE-2018-6332

CVE-2018-6332: A denial-of-service issue in the Proxygen handling of invalid HTTP/2 settings can cause the HHVM Proxygen server to consume disproportionate resources. Affected: HHVM versions 3.24.3 and 3.21.7 and earlier when using the proxygen HTTP/2 handler. Root cause and impact are described ...

5.9CVSS5.6AI score0.01086EPSS
CVE
CVE
added 2020/02/19 12:38 p.m.68 views

CVE-2016-1000109

HHVM is vulnerable to an httpoxy-style issue where untrusted data in the HTTP_PROXY variable can redirect a CGI app’s outbound traffic to an arbitrary proxy. Affected HHVM ranges include pre-3.9.6, 3.10.0–3.12.4, and 3.13.0–3.14.2. The CVE-2016-1000109 description confirms the root cause as RFC 3...

5.3CVSS5.4AI score0.05076EPSS
CVE
CVE
added 2018/12/31 8:0 p.m.68 views

CVE-2018-6335

CVE-2018-6335 affects HHVM's proxygen HTTP/2 handling. A malformed h2 frame can trigger a std::out_of_range exception during parsing of priority metadata, leading to a denial-of-service. Affected versions are HHVM 3.25.2, 3.24.6, 3.21.10 and earlier when using the proxygen server. The vulnerabili...

7.5CVSS7.4AI score0.01469EPSS
CVE
CVE
added 2017/02/17 5:0 p.m.66 views

CVE-2016-6874

CVE-2016-6874 affects Facebook HHVM (before 3.15.0) via the array_*_recursive functions, enabling unspecified impact through recursion. The available connected docs confirm the affected component and root cause (recursion in specific functions) but do not provide concrete exploit details, vectors...

9.8CVSS9.6AI score0.0201EPSS
CVE
CVE
added 2019/10/02 7:7 p.m.66 views

CVE-2019-11929

CVE-2019-11929 affects HHVM. The issue is insufficient boundary checks when formatting numbers in number_format, enabling read/write access to out-of-bounds memory and potentially remote code execution. Affected HHVM versions include prior to 3.30.10, and all 4.x releases up to 4.23.0 (specifical...

9.8CVSS9.7AI score0.04028EPSS
CVE
CVE
added 2019/11/19 2:51 p.m.63 views

CVE-2016-1000006

CVE-2016-1000006 affects hhvm before 3.12.11, with a use-after-free in the serialize_memoize_param() and ResourceBundle::__construct() functions. The connected documents provide the same description but do not specify an affected platform beyond this, nor concrete impact details, exploits, or a p...

9.8CVSS9.4AI score0.01568EPSS
CVE
CVE
added 2020/02/19 12:38 p.m.62 views

CVE-2016-1000005

CVE-2016-1000005 concerns HHVM where mcrypt_get_block_size does not enforce that the module parameter is a string, causing type confusion. Affected versions: HHVM

9.8CVSS9.4AI score0.01392EPSS
CVE
CVE
added 2018/12/31 10:0 p.m.62 views

CVE-2018-6340

The CVE-2018-6340 issue affects Facebook HHVM where the Memcache::getextendedstats function can trigger an out-of-bounds read. The vulnerability requires control over memcached hostnames/ports and impacts all supported HHVM versions up to 3.30 and 3.27.4 and earlier. The root cause is an out-of-b...

8.1CVSS8AI score0.0143EPSS
CVE
CVE
added 2021/10/26 8:5 p.m.62 views

CVE-2019-3556

The CVE-2019-3556 issue affects HHVM where the admin server’s dump-pcre-cache handler accepts an unvalidated filesystem path parameter, enabling a malicious user to overwrite arbitrary files with the privileges of the HHVM user. This can write to arbitrary locations and is tied to HHVM versions: ...

8.1CVSS8AI score0.01731EPSS
CVE
CVE
added 2021/03/10 3:50 p.m.62 views

CVE-2021-24025

The CVE-2021-24025 issue is an overflow in HHVM’s preg_quote handling caused by incorrect string size calculations, leading to a heap overflow. Affected are HHVM versions prior to 4.56.3, all releases 4.57.0–4.80.1, 4.81.0–4.93.1, and 4.94.0–4.98.0. The vulnerability is documented across multiple...

9.8CVSS9.5AI score0.01659EPSS
CVE
CVE
added 2020/02/19 12:38 p.m.60 views

CVE-2016-1000004

CVE-2016-1000004 affects Facebook HHVM:Insufficient type checks before casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. Impacted are HHVM variants prior to 3.9.5, 3.10.0–3.12.3 (inclusive), and 3.13.0–3.14.1 (inclusive). The vulnerability arises from type-validation gap...

9.8CVSS9.3AI score0.00683EPSS
CVE
CVE
added 2017/02/17 5:0 p.m.60 views

CVE-2016-6871

CVE-2016-6871: Integer overflow in Bcmath within Facebook HHVM before 3.15.0 can trigger a buffer overflow via unknown vectors, with unspecified impact. Affected product: Facebook HHVM (HipHop VM). Practical impact is described as overflow-related, but the exact exploit scenarios are not detailed...

9.8CVSS9.9AI score0.02329EPSS
CVE
CVE
added 2017/02/17 5:0 p.m.60 views

CVE-2016-6872

CVE-2016-6872 involves an integer overflow in StringUtil::implode in Facebook HHVM prior to 3.15.0. The vulnerability has a high/severe impact profile (CVSS v3.0: CRITICAL, 9.8; v2.0: HIGH, 7.5) with network attack vector and no authentication required. The reports state that the overflow could e...

9.8CVSS9.7AI score0.02219EPSS
CVE
CVE
added 2017/02/17 5:0 p.m.60 views

CVE-2016-6875

CVE-2016-6875 corresponds to an infinite recursion in WDDX handling in Facebook HHVM prior to 3.15.0. The vulnerability statement notes an unspecified impact via unknown vectors. The linked metrics assign a high base score (CVSSv2: 7.5; CVSSv3: 9.8) with network access and low attack complexity, ...

9.8CVSS9.6AI score0.02219EPSS
CVE
CVE
added 2021/03/10 3:50 p.m.60 views

CVE-2020-1917

The CVE-2020-1917 issue is a concrete bug in xbuf_format_converter (part of exif_read_data) in HHVM. It appends a terminating null without the normal append path, enabling an out-of-bounds write when the buffer is full. Affected HHVM versions include: prior to 4.56.3, 4.57.0–4.80.1, 4.81.0–4.93.1...

9.8CVSS9.4AI score0.01384EPSS
CVE
CVE
added 2018/12/31 10:0 p.m.59 views

CVE-2018-6337

The CVE-2018-6337 issue affects HHVM and the folly library, caused by folly::secureRandom re-using a buffer between parent and child processes after fork(). This can lead to repeated or correlated random outcomes across multiple forked children. Affected products/versions: HHVM prior to 3.26.3; f...

7.5CVSS7.5AI score0.01778EPSS
CVE
CVE
added 2019/12/04 4:25 p.m.58 views

CVE-2019-11930

HHVM contains an invalid free in mb_detect_order that can crash the process or allow remote code execution. Affected versions include HHVM prior to 3.30.12, 4.0.0–4.8.5, 4.9.0–4.23.1, and 4.24.0–4.28.1. The issue is caused by improper memory management in mb_detect_order. Mitigation is to upgrade...

9.8CVSS9.8AI score0.03248EPSS
CVE
CVE
added 2019/01/15 10:0 p.m.58 views

CVE-2019-3557

CVE-2019-3557 affects HHVM, specifically all supported versions up to 3.30 and 3.27.4 and below. The root cause is improper readImpl implementations for streams backed by bz2 and php://output, which returned -1, causing some stream functions (for example, stream_get_line) to trigger an out-of-bou...

9.8CVSS9.3AI score0.01711EPSS
CVE
CVE
added 2021/03/10 3:50 p.m.58 views

CVE-2020-1918

CVE-2020-1918 affects HHVM: reading memory prior to the in‑memory buffer via fopen on a data URI due to improper restriction of negative seeking. Affected versions include HHVM before 4.56.3, 4.57.0–4.80.1, 4.81.0–4.93.1, and 4.94.0–4.98.0. The provided documents do not specify a final patched ve...

7.5CVSS7.5AI score0.01218EPSS
CVE
CVE
added 2017/02/17 5:0 p.m.57 views

CVE-2016-6873

CVE-2016-6873 affects Facebook HHVM before 3.15.0. The vulnerability is caused by self recursion in the compact function, leading to unspecified impact via unknown vectors. Public records (NVD/NSS OSV) describe a high-severity, network-exploitable issue with potential partial confidentiality/inte...

9.8CVSS9.6AI score0.02219EPSS
CVE
CVE
added 2017/02/17 5:0 p.m.56 views

CVE-2016-6870

CVE-2016-6870 affects Facebook HHVM prior to 3.15.0. The vulnerability is an out-of-bounds write in the third-party/multibyte-related functions: mb_detect_encoding, mb_send_mail, and mb_detect_order, leading to unspecified impact through unknown vectors. The provided public documents do not speci...

9.8CVSS9.6AI score0.02212EPSS
CVE
CVE
added 2019/12/04 4:25 p.m.56 views

CVE-2019-11935

CVE-2019-11935 arises from insufficient boundary checks in mb_ereg_replace, allowing access to out-of-bounds memory. Connected sources confirm affected software as HHVM before 3.30.12 and the 4.x series: 4.0.0–4.8.5, 4.9.0–4.23.1, and 4.24.0–4.28.1. The NVD metrics indicate a high/severe impact (...

9.8CVSS9.3AI score0.01476EPSS
CVE
CVE
added 2021/03/10 3:50 p.m.53 views

CVE-2020-1921

CVE-2020-1921 affects HHVM: the crypt function may terminate a buffer using the salt length without verifying the offset lies inside the buffer. Affected HHVM versions include before 4.56.3, 4.57.0–4.80.1, 4.81.0–4.93.1, and 4.94.0–4.98.0. The initial description provides the vulnerable condition...

7.5CVSS7.5AI score0.01211EPSS
CVE
CVE
added 2021/03/10 3:50 p.m.49 views

CVE-2020-1916

CVE-2020-1916 involves an incorrect size calculation in ldap_escape that can cause an integer overflow and an out-of-bounds write. Affected software is HHVM versions prior to 4.56.2, and all versions between 4.57.0 and 4.83.0 (including 4.78.x, 4.79.x, 4.80.x, 4.81.x, 4.82.x, 4.83.x). The root ca...

9.8CVSS9.5AI score0.01384EPSS
CVE
CVE
added 2021/03/10 3:50 p.m.49 views

CVE-2020-1919

CVE-2020-1919 affects HHVM: incorrect bounds calculations in substr_compare could cause an out-of-bounds read when the second string arg is longer than the first. Affected versions include all HHVM builds prior to 4.56.3, 4.57.0–4.80.1, 4.81.0–4.93.1, and 4.94.0–4.98.0. The connected documents pr...

7.5CVSS7.3AI score0.01218EPSS