CVE-2019-11930

high-risk

Published 2019-12-04

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Do I need to act?

2.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: abe9500970b23bc9c385bf18a15bd38e830859a6, 524d2e60cfe910406ec6109e4286d7edd545ab36

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (7)

Hhvm

Affected Vendors

Facebook

References (6)

Patch https://github.com/facebook/hhvm/commit/524d2e60cfe910406ec6109e4286d7edd545ab36

Vendor Advisory https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory https://www.facebook.com/security/advisories/cve-2019-11930

Patch https://github.com/facebook/hhvm/commit/524d2e60cfe910406ec6109e4286d7edd545ab36

Vendor Advisory https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory https://www.facebook.com/security/advisories/cve-2019-11930

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 6/34 · Minimal

Exposure 14/34 · Moderate