CVE-2019-11930

CRITICAL

HHVM <3.30.12, <4.8.5, <4.9.0-4.23.1, 4.24.0-4.28.1 - RCE

Title source: llm

Description

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

References (3)

[Patch] https://github.com/facebook/hhvm/commit/524d2e60cfe910406ec6109e4286d7edd545ab36

View Patch ZIP pw:eip

[Vendor Advisory] https://hhvm.com/blog/2019/10/28/security-update.html

[Vendor Advisory] https://www.facebook.com/security/advisories/cve-2019-11930

Scores

CVSS v3 9.8

EPSS 0.0250

EPSS Percentile 85.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-763

Status published

Products (7)

facebook/hhvm 4.24.0

facebook/hhvm 4.25.0

facebook/hhvm 4.26.0

facebook/hhvm 4.27.0

facebook/hhvm 4.28.0

facebook/hhvm 4.28.1

facebook/hhvm < 3.30.12

Published Dec 04, 2019

Tracked Since Feb 18, 2026