CVE-2019-11936
CRITICALFacebook HHVM - Null Byte Truncation in APC Functions
Title source: llmDescription
Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://hhvm.com/blog/2019/10/28/security-update.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373
Vendor Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2019-11936
Scores
CVSS v3
9.8
EPSS
0.0148
EPSS Percentile
70.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-626
Status
published
Products (7)
facebook/hhvm
4.24.0
facebook/hhvm
4.25.0
facebook/hhvm
4.26.0
facebook/hhvm
4.27.0
facebook/hhvm
4.28.0
facebook/hhvm
4.28.1
facebook/hhvm
< 3.30.12
Published
Dec 04, 2019
Tracked Since
Feb 18, 2026