CVE Vulnerabilities

CVE-2019-11930

Release of Invalid Pointer or Reference

Published: Dec 04, 2019 | Modified: Feb 08, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Weakness

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

Affected Software

Name Vendor Start Version End Version
Hhvm Facebook * 3.30.12 (excluding)
Hhvm Facebook 4.0.0 (including) 4.8.5 (including)
Hhvm Facebook 4.9.0 (including) 4.23.1 (including)
Hhvm Facebook 4.24.0 (including) 4.24.0 (including)
Hhvm Facebook 4.25.0 (including) 4.25.0 (including)
Hhvm Facebook 4.26.0 (including) 4.26.0 (including)
Hhvm Facebook 4.27.0 (including) 4.27.0 (including)
Hhvm Facebook 4.28.0 (including) 4.28.0 (including)
Hhvm Facebook 4.28.1 (including) 4.28.1 (including)
Hhvm Ubuntu bionic *
Hhvm Ubuntu trusty *
Hhvm Ubuntu xenial *

Extended Description

This weakness can take several forms, such as:

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, glibc in Linux provides protection against free of invalid pointers.

References