PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6875 Facebook CVE debrief

CVE-2016-6875 is a critical vulnerability in Facebook HHVM’s WDDX handling. The public record describes an infinite recursion condition in wddx that could let an attacker cause unspecified impact through unknown vectors. NVD rates the issue 9.8/CRITICAL with a network-reachable attack profile and no privileges or user interaction required. The affected range listed by NVD extends through HHVM 3.14.5, while the vulnerability summary says versions before 3.15.0 are impacted. A patch commit is referenced in the public advisory trail, so upgrading to a fixed HHVM release is the primary remediation path.

Vendor
Facebook
Product
CVE-2016-6875
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Organizations running Facebook HHVM, especially any deployment that processes WDDX or other untrusted input, should treat this as a priority patching item.

Technical summary

The issue is an infinite recursion flaw in HHVM’s WDDX code path. NVD classifies it as CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates a remotely reachable issue with potential for high confidentiality, integrity, and availability impact. The public description does not provide a concrete exploit vector beyond “unknown vectors,” so the safest interpretation is that the parser bug should be considered exploitable wherever the WDDX path is exposed to attacker-controlled data. NVD’s vulnerable-version criteria list HHVM up to 3.14.5, and the record references a patch commit in the HHVM repository.

Defensive priority

High. This is a critical, remotely reachable parser flaw with no privilege or interaction requirements in the NVD assessment, so affected systems should be patched as soon as possible.

Recommended defensive actions

  • Upgrade HHVM to 3.15.0 or later, or to the vendor-fixed release indicated by your distribution.
  • Identify all deployments still running HHVM 3.14.5 or earlier and prioritize them for immediate remediation.
  • Review application paths that accept or transform WDDX content and reduce exposure to untrusted input where feasible.
  • Validate that the patch referenced in the HHVM GitHub commit has been incorporated into your build, package, or container image.
  • Use the NVD and linked advisories to confirm whether any downstream packages vendor this fix separately.

Evidence notes

The public record for CVE-2016-6875 is sparse on exploit mechanics: it names an infinite recursion issue in HHVM WDDX and says attackers may cause unspecified impact via unknown vectors. NVD supplies the strongest technical detail available here: CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, a vulnerable CPE range through HHVM 3.14.5, and references to August 2016 mailing-list advisories plus a GitHub patch commit. The CVE was published on 2017-02-17 and later modified on 2026-05-13; that modification date reflects record updates, not the original issue date.

Official resources

The CVE record was published on 2017-02-17 and later modified on 2026-05-13. The linked public references include August 2016 mailing-list advisories and a GitHub patch commit, which indicate remediation activity predates CVE publication.