CVE-2016-6872 Facebook CVE debrief

Who should care

Teams operating HHVM instances, especially any environment still running HHVM 3.14.5 or earlier. Patch management, platform engineering, and incident response teams should treat this as a high-priority runtime vulnerability for exposed application servers.

Technical summary

The vulnerability is an integer overflow in StringUtil::implode, classified by NVD as CWE-190. NVD’s vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which means the issue is reachable over the network, requires no privileges or user interaction, and is rated as having high potential impact. The NVD CPE mapping marks HHVM versions up to and including 3.14.5 as vulnerable, and the linked upstream HHVM commit provides the fix reference.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade HHVM to 3.15.0 or later, or apply the upstream fix referenced in the linked HHVM commit.
• Inventory all hosts and containers for HHVM deployments and verify none remain on version 3.14.5 or earlier.
• Prioritize remediation on internet-facing or shared application services that process untrusted input through HHVM.
• If immediate upgrading is not possible, backport the vendor fix and validate the build against your release process before redeployment.

Evidence notes

The public sources support: an integer overflow in StringUtil::implode; HHVM before 3.15.0 as the affected product family; NVD’s vulnerable version mapping through 3.14.5; CWE-190; and a CVSS 3.0 score of 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The OSS-Security references dated 2016-08-11 and 2016-08-19 provide the third-party disclosure trail, while the linked GitHub commit is the patch reference. The short description does not spell out a concrete exploit outcome, so any impact claims beyond the published CVSS and affected-version data would be speculative.

Official resources