PatchSiren cyber security CVE debrief

CVE-2016-6870 Facebook CVE debrief

CVE-2016-6870 is a critical memory-safety issue in Facebook HHVM’s mb_detect_encoding, mb_send_mail, and mb_detect_order functions. The public description says the flaw is an out-of-bounds write with unspecified impact, and NVD rates the issue as 9.8/CRITICAL. Systems running affected HHVM versions should be treated as high priority for patching.

Vendor: Facebook
Product: CVE-2016-6870
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Administrators, platform owners, and application teams running Facebook HHVM or software that depends on HHVM should care, especially if they are still on versions before 3.15.0. Security teams responsible for internet-facing PHP runtimes should also prioritize review and upgrade planning.

Technical summary

The vulnerability is an out-of-bounds write in three HHVM mb_* functions: mb_detect_encoding, mb_send_mail, and mb_detect_order. The CVE description states the issue affects HHVM before 3.15.0; NVD’s affected CPE range lists versions through 3.14.5. Because the flaw is a write outside allocated bounds, the security concern is memory corruption, and NVD assigns CVSS 3.0 metrics of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Critical. This is a remotely reachable memory-corruption issue with no privileges or user interaction required per NVD’s CVSS vector. Upgrade and validate exposure as soon as possible.

Recommended defensive actions

Upgrade HHVM to 3.15.0 or later; the CVE description says the issue affects versions before 3.15.0.
Inventory systems and containers that include HHVM, including embedded or legacy deployments, and verify the exact installed version.
Treat any internet-facing or multi-tenant HHVM deployment as urgent until remediation is complete.
Review application and platform logs for crashes or anomalous behavior around HHVM mb_* code paths as part of incident hygiene.
Use the linked vendor patch and advisory references to confirm remediation status in your environment.

Evidence notes

The CVE description identifies an out-of-bounds write in mb_detect_encoding, mb_send_mail, and mb_detect_order, affecting Facebook HHVM before 3.15.0. NVD’s affected CPE entry lists HHVM versions up to and including 3.14.5. References include two Openwall mailing-list posts and a GitHub commit marked as a patch/vendor advisory. The public description does not specify a proven exploitation path or exact real-world impact, so this debrief avoids adding unsupported details.

Official resources

CVE-2016-6870 CVE record
CVE.org
CVE-2016-6870 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

Published by CVE/NVD on 2017-02-17 and last modified on 2026-05-13. The source references indicate the patch and related advisories were public in August 2016.