CVE-2016-6871 Facebook CVE debrief

Who should care

Teams operating or maintaining Facebook HHVM installations, especially those on affected versions, should prioritize this issue. Security teams responsible for PHP runtime platforms and downstream services that rely on HHVM should also review exposure.

Technical summary

The supplied NVD record identifies an integer overflow in HHVM's bcmath implementation that can lead to a buffer overflow. The description places affected versions before 3.15.0, and the CPE metadata marks versions through 3.14.5 inclusive. NVD maps the weakness to CWE-190 and lists a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Immediate. The record rates the issue Critical with a 9.8 CVSS score and a vector indicating network access, low attack complexity, and no privileges or user interaction required.

Recommended defensive actions

• Upgrade HHVM to version 3.15.0 or later, or to a vendor build that includes the fixed code.
• Verify deployed HHVM versions against the affected range reported by NVD, which includes versions through 3.14.5 inclusive.
• If immediate upgrading is not possible, reduce exposure by limiting network access to HHVM services and monitoring for crashes or abnormal behavior.
• Confirm that downstream packages or containers include the Facebook HHVM patch referenced in the advisory materials.

Evidence notes

Primary evidence comes from the official NVD record and the CVE registry entry. NVD lists the weakness as CWE-190, affected HHVM versions through 3.14.5 inclusive, and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Supporting references include two oss-security mailing list threads dated 2016-08-11 and 2016-08-19, plus the Facebook HHVM patch commit c00fc9d3003eb06226b58b6a48555f1456ee2475.

Official resources