CVE-2016-6873 Facebook CVE debrief

Who should care

Operators and developers running Facebook HHVM, especially internet-facing services that still include versions in the affected range. Security teams responsible for asset inventory, patching, and service hardening should prioritize it.

Technical summary

The vulnerability is described as a self-recursion problem in HHVM's compact handling. The corpus does not provide a deeper root-cause explanation, but it does identify affected HHVM versions before 3.15.0 and NVD maps vulnerable CPE coverage through 3.14.5. The official CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which is why NVD classifies it as critical.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade HHVM to 3.15.0 or a later fixed release.
• Inventory all systems that include HHVM and confirm none remain on vulnerable versions.
• Prioritize patching of externally reachable HHVM deployments.
• After updating, monitor for abnormal crashes or recursion-related errors and validate application behavior.
• If immediate patching is not possible, reduce exposure by restricting access to HHVM services.

Evidence notes

Source evidence is limited to the CVE/NVD record, two oss-security mailing list references from 2016-08-11 and 2016-08-19, and the upstream Facebook HHVM patch commit e264f04ae825a5d97758130cf8eec99862517e7e. The description states 'before 3.15.0,' while the NVD CPE range marks versions through 3.14.5 as vulnerable; both indicate a pre-3.15.0 fix boundary, but the corpus does not clarify the exact last affected build beyond the NVD range.

Official resources