CVE-2019-11930

Summary

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.28.2affected
FacebookHHVM4.28.0 < unspecifiedaffected
FacebookHHVM4.27.1affected
FacebookHHVM4.27.0 < unspecifiedaffected
FacebookHHVM4.26.1affected
FacebookHHVM4.26.0 < unspecifiedaffected
FacebookHHVM4.25.1affected
FacebookHHVM4.25.0 < unspecifiedaffected
FacebookHHVM4.24.1affected
FacebookHHVM4.24.0 < unspecifiedaffected
FacebookHHVM4.23.2affected
FacebookHHVM4.9.0 < unspecifiedaffected
FacebookHHVM4.8.6affected
FacebookHHVM4.0.0 < unspecifiedaffected
FacebookHHVM3.30.12affected
FacebookHHVMunspecified < 3.30.12affected

Weaknesses

  • CWE-763: CWE-763: Release of Invalid Pointer or Reference

ADP Enrichment

CVE Program Container

Additional References

References