CVE-2019-11935

CRITICAL

Facebook Hhvm < 3.30.12 - Buffer Overflow

Title source: rule

Description

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://hhvm.com/blog/2019/10/28/security-update.html

Patch, Third Party Advisory x_refsource_confirm

https://github.com/facebook/hhvm/commit/1c518555dba6ceb45d5ba61845b96e261219c3b7

View Patch ZIP pw:eip

Vendor Advisory x_refsource_confirm

https://www.facebook.com/security/advisories/cve-2019-11935

Scores

CVSS v3 9.8

EPSS 0.0064

EPSS Percentile 70.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-125 CWE-120

Status published

Products (7)

facebook/hhvm 4.24.0

facebook/hhvm 4.25.0

facebook/hhvm 4.26.0

facebook/hhvm 4.27.0

facebook/hhvm 4.28.0

facebook/hhvm 4.28.1

facebook/hhvm < 3.30.12

Published Dec 04, 2019

Tracked Since Feb 18, 2026