CVE-2020-1919

Summary

Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.98.1 < unspecifiedunaffected
FacebookHHVM4.98.0affected
FacebookHHVM4.97.1 < unspecifiedunaffected
FacebookHHVM4.97.0affected
FacebookHHVM4.96.1 < unspecifiedunaffected
FacebookHHVM4.96.0affected
FacebookHHVM4.95.1 < unspecifiedunaffected
FacebookHHVM4.95.0affected
FacebookHHVM4.94.1 < unspecifiedunaffected
FacebookHHVM4.94.0affected
FacebookHHVM4.93.2 < unspecifiedunaffected
FacebookHHVM4.81.0 < unspecifiedaffected
FacebookHHVM4.80.2 < unspecifiedunaffected
FacebookHHVM4.57.0 < unspecifiedaffected
FacebookHHVM4.56.3 < unspecifiedunaffected
FacebookHHVMunspecified < 4.56.3affected

Weaknesses

  • CWE-125: Out-of-bounds Read (CWE-125)

ADP Enrichment

CVE Program Container

Additional References

References