Skip to main content

Hhvm

25 CVEs product

Monthly

CVE-2021-24036 CRITICAL PATCH Act Now

Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution.07.22.00.80.5, all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow RCE Folly Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
3.3%
CVE-2021-24025 CRITICAL PATCH Act Now

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow.56.3, all versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-1893 HIGH PATCH This Week

Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-1892 HIGH PATCH This Week

Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
8.1
EPSS
1.1%
CVE-2020-1888 HIGH PATCH This Week

Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-11936 CRITICAL PATCH Act Now

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-11935 CRITICAL PATCH Act Now

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-11930 CRITICAL PATCH Act Now

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2019-11929 CRITICAL PATCH Act Now

Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution.30.10, all versions between 4.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow RCE Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2019-11926 CRITICAL PATCH Act Now

Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input.30.9, all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
2.3%
CVE-2019-11925 CRITICAL PATCH Act Now

Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input.30.9, all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
2.1%
CVE-2019-3569 HIGH PATCH This Week

HHVM, when used with FastCGI, would bind by default to all available interfaces. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2019-3561 CRITICAL Act Now

Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2019-3557 CRITICAL PATCH Act Now

The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2018-6340 HIGH PATCH This Week

The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Buffer Overflow Hhvm
NVD GitHub
CVSS 3.1
8.1
EPSS
1.4%
CVE-2018-6337 HIGH PATCH This Week

folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Folly Hhvm
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2018-6335 HIGH PATCH This Week

A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Hhvm
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2018-6334 CRITICAL PATCH Act Now

Multipart-file uploads call variables to be improperly registered in the global scope. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2018-6332 MEDIUM This Month

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Hhvm
NVD
CVSS 3.1
5.9
EPSS
1.1%
CVE-2016-6875 CRITICAL PATCH Act Now

Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-6874 CRITICAL Act Now

The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-6873 CRITICAL PATCH Act Now

Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-6872 CRITICAL PATCH Act Now

Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Buffer Overflow Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-6871 CRITICAL PATCH Act Now

Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Buffer Overflow Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
CVE-2016-6870 CRITICAL PATCH Act Now

Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Memory Corruption Hhvm
NVD GitHub
CVSS 3.0
9.8
EPSS
1.0%
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution.07.22.00.80.5, all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow RCE +2
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow.56.3, all versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Hhvm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hhvm
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution.30.10, all versions between 4.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow RCE Hhvm
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input.30.9, all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Hhvm
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input.30.9, all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Hhvm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HHVM, when used with FastCGI, would bind by default to all available interfaces. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Information Disclosure Hhvm
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Hhvm
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Buffer Overflow Hhvm
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Folly Hhvm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Hhvm
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Multipart-file uploads call variables to be improperly registered in the global scope. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM This Month

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Hhvm
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Buffer Overflow Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Buffer Overflow Hhvm
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Memory Corruption Hhvm
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy