Buffer overflow in Facebook Hhvm

CVE-2021-24025

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. This issue affects HHVM versions prior to 4.56.3, all version…

Vulnerability class: Buffer Overflow

EPSS: 0.005 (64.9th percentile) — read the EPSS interpretation.

Affected products

Facebook Hhvm — versions 4.98.1, 4.98.0, 4.97.1

Weakness classification (CWE)

CWE-122 — Heap-based Buffer Overflow

References

hhvm.com/blog/2021/02/25/security-update.html (x_refsource_MISC)
github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44ca (x_refsource_MISC)