CVE-2021-24036
CRITICALFacebook Folly < 2021.07.22.00 and HHVM < 4.80.5 - Heap-Based Buffer Overflow via IOBuf Size Mismanagement
Title source: llmDescription
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_confirm
https://hhvm.com/blog/2021/07/20/security-update.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/facebook/folly/commit/4f304af1411e68851bdd00ef6140e9de4616f7d3
Vendor Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2021-24036
Scores
CVSS v3
9.8
EPSS
0.0328
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-122
CWE-190
Status
published
Products (8)
facebook/folly
< 2021.07.22.00
facebook/hhvm
4.114.0
facebook/hhvm
4.115.0
facebook/hhvm
4.116.0
facebook/hhvm
4.117.0
facebook/hhvm
4.118.0
facebook/hhvm
4.118.1
facebook/hhvm
< 4.80.5
Published
Jul 23, 2021
Tracked Since
Feb 18, 2026