Vulnerability Description
Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hhvm | < 4.56.3 |
Related Weaknesses (CWE)
References
- https://github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44caPatchThird Party Advisory
- https://hhvm.com/blog/2021/02/25/security-update.htmlRelease NotesThird Party Advisory
- https://github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44caPatchThird Party Advisory
- https://hhvm.com/blog/2021/02/25/security-update.htmlRelease NotesThird Party Advisory
FAQ
What is CVE-2021-24025?
CVE-2021-24025 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. This issue affects HHV...
How severe is CVE-2021-24025?
CVE-2021-24025 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24025?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Hhvm.