Out-of-bounds Read in Facebook Hhvm

CVE-2020-1919

Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80…

Vulnerability class: Buffer Overflow

EPSS: 0.004 (58.6th percentile) — read the EPSS interpretation.

Affected products

Facebook Hhvm — versions 4.98.1, 4.98.0, 4.97.1

Weakness classification (CWE)

CWE-125 — Out-of-bounds Read

References

hhvm.com/blog/2021/02/25/security-update.html (x_refsource_MISC)
github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44ca (x_refsource_MISC)