CVE-2019-11930
CRITICALHHVM <3.30.12, <4.8.5, <4.9.0-4.23.1, 4.24.0-4.28.1 - RCE
Title source: llmDescription
An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
References (3)
Core 3
Core References
Patch x_refsource_confirm
https://github.com/facebook/hhvm/commit/524d2e60cfe910406ec6109e4286d7edd545ab36
Vendor Advisory x_refsource_confirm
https://hhvm.com/blog/2019/10/28/security-update.html
Vendor Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2019-11930
Scores
CVSS v3
9.8
EPSS
0.0325
EPSS Percentile
86.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-763
Status
published
Products (7)
facebook/hhvm
4.24.0
facebook/hhvm
4.25.0
facebook/hhvm
4.26.0
facebook/hhvm
4.27.0
facebook/hhvm
4.28.0
facebook/hhvm
4.28.1
facebook/hhvm
< 3.30.12
Published
Dec 04, 2019
Tracked Since
Feb 18, 2026