PatchSiren cyber security CVE debrief
CVE-2016-6874 Facebook CVE debrief
CVE-2016-6874 is a critical vulnerability in Facebook HHVM affecting the array_*_recursive functions. The official record and NVD identify HHVM versions up to 3.14.5 as vulnerable, with the issue fixed in 3.15.0. NVD scores the flaw 9.8/CRITICAL and describes the attack surface as network-reachable with no user interaction or privileges required. Because the published description only says the impact is unspecified and related to recursion, defenders should treat this as a severe pre-authentication bug in exposed HHVM deployments and upgrade promptly.
- Vendor
- Product
- CVE-2016-6874
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-17
- Advisory updated
- 2026-05-13
Who should care
Organizations running Facebook HHVM, especially internet-facing PHP/Hack application stacks that still use HHVM versions earlier than 3.15.0. Security teams responsible for patching, web platform operations, and asset owners with legacy HHVM services should prioritize this advisory.
Technical summary
The vulnerability is described as affecting HHVM's array_*_recursive functions and being related to recursion. The NVD entry classifies affected releases as HHVM through 3.14.5 and assigns CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with no authentication or user interaction required. The source references include public OSS-security disclosure messages and a GitHub commit in the HHVM repository, supporting that the flaw was publicly discussed and subsequently fixed in the project.
Defensive priority
Immediate for any exposed or still-supported HHVM deployment. This is a pre-authentication, network-reachable, critical-severity issue with broad CIA impact in NVD scoring, so remediation should be scheduled ahead of routine maintenance.
Recommended defensive actions
- Upgrade HHVM to 3.15.0 or later, or remove/retire HHVM if it is no longer required.
- Inventory all services that depend on HHVM, including legacy or containerized deployments that may not be visible in standard web server inventories.
- Prioritize externally reachable HHVM instances for emergency patching and validate that no older 3.14.x builds remain in production.
- Use the official NVD and CVE records to confirm affected version ranges before applying compensating controls.
- If immediate upgrade is not possible, isolate the service from untrusted networks and place it behind strict access controls until remediation is complete.
Evidence notes
All statements are based on the supplied NVD record and listed references. The NVD data identifies the affected CPE range as HHVM versions through 3.14.5 and provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The description states the flaw involves the array_*_recursive functions and recursion, but does not provide a more specific exploitation mechanism. The OSS-security references show public disclosure activity in August 2016, and the HHVM GitHub commit reference indicates a project fix exists, but the exact code-change details are not inferred here.
Official resources
The supplied references show public disclosure discussion on 2016-08-11 and 2016-08-19 via oss-security, while the CVE record itself was published on 2017-02-17. The latest supplied modified timestamp is 2026-05-13, which reflects record c