CVE-2019-11935

CRITICAL

HHVM < 3.30.12, 4.0.0-4.8.5, 4.9.0-4.23.1, 4.24.0-4.28.1 - Out-of-bounds Read

Title source: llm
STIX 2.1

Description

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0148
EPSS Percentile 70.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-120 CWE-125
Status published
Products (7)
facebook/hhvm 4.24.0
facebook/hhvm 4.25.0
facebook/hhvm 4.26.0
facebook/hhvm 4.27.0
facebook/hhvm 4.28.0
facebook/hhvm 4.28.1
facebook/hhvm < 3.30.12
Published Dec 04, 2019
Tracked Since Feb 18, 2026