CVE-2021-24025

Summary

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.98.1 < unspecifiedunaffected
FacebookHHVM4.98.0affected
FacebookHHVM4.97.1 < unspecifiedunaffected
FacebookHHVM4.97.0affected
FacebookHHVM4.96.1 < unspecifiedunaffected
FacebookHHVM4.96.0affected
FacebookHHVM4.95.1 < unspecifiedunaffected
FacebookHHVM4.95.0affected
FacebookHHVM4.94.1 < unspecifiedunaffected
FacebookHHVM4.94.0affected
FacebookHHVM4.93.2 < unspecifiedunaffected
FacebookHHVM4.81.0 < unspecifiedaffected
FacebookHHVM4.80.2 < unspecifiedunaffected
FacebookHHVM4.57.0 < unspecifiedaffected
FacebookHHVM4.56.3 < unspecifiedunaffected
FacebookHHVMunspecified < 4.56.3affected

Weaknesses

  • CWE-122: Heap-based Buffer Overflow (CWE-122)

ADP Enrichment

CVE Program Container

Additional References

References