CVE-2019-11936

CRITICAL

Facebook HHVM - Null Byte Truncation in APC Functions

Title source: llm
STIX 2.1

Description

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0148
EPSS Percentile 70.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-626
Status published
Products (7)
facebook/hhvm 4.24.0
facebook/hhvm 4.25.0
facebook/hhvm 4.26.0
facebook/hhvm 4.27.0
facebook/hhvm 4.28.0
facebook/hhvm 4.28.1
facebook/hhvm < 3.30.12
Published Dec 04, 2019
Tracked Since Feb 18, 2026