CVE-2019-3561

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-3561
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3561.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-3561
Downstream
Published
2019-04-29T16:29:00.890Z
Modified
2026-04-11T09:46:12.569007Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).

References

Affected packages

Git / github.com/facebook/hhvm

Affected ranges

Type
GIT
Repo
https://github.com/facebook/hhvm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c686c4b95e014efb7c66ea7e5967ad51a057630c
Introduced
f0ad4879d6bee987a31c543ee57cc69b3741416b
Last affected
4b4b965f1a0b3cd2f67500c9e7e90361cd0194da
Introduced
7d4f701b9ed004452d695fce4e1ef8f48babbf39
Last affected
d642bb525d6259c5757b37a2d253fc760fc71e07
Fixed
46003b4ab564b2abcd8470035fc324fe36aa8c75
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.27.7"
        },
        {
            "introduced": "3.28.0"
        },
        {
            "last_affected": "3.30.4"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.0.3"
        }
    ]
}

Affected versions

HHVM-3.*
HHVM-3.27.0
HHVM-3.27.1
HHVM-3.27.2
HHVM-3.27.3
HHVM-3.27.4
HHVM-3.27.5
HHVM-3.27.6
HHVM-3.27.7
HHVM-3.30.0
HHVM-3.30.1
HHVM-3.30.2
HHVM-3.30.3
HHVM-3.30.4
HHVM-4.*
HHVM-4.0.0
HHVM-4.0.1
HHVM-4.0.2
HHVM-4.0.3
HPHP-2.*
HPHP-2.1.0
gcc-4.*
gcc-4.6
nightly-2019.*
nightly-2019.03.28
nightly-2019.03.29
nightly-2019.03.30
nightly-2019.03.31
nightly-2019.04.01
nightly-2019.04.02
nightly-2019.04.03
nightly-2019.04.04
nightly-2019.04.05
nightly-2019.04.06
Other
pre-hhvm
src-hphp

Database specific

vanir_signatures_modified 
"2026-04-11T09:46:12Z"
vanir_signatures 
[
    {
        "id": "CVE-2019-3561-3ddd119f",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "237452518112066165983525395992909300297",
                "201214131138209606689671867247993415808",
                "54610128377508543250730928848483970785",
                "242789402674019831977301466791096821524",
                "336500895925397030468145046104198748865",
                "240456634794077132233795511227815704682",
                "317974168923229943747046666349420255385",
                "292506728868866469570125519499549710225",
                "302443854434745939084252164859834459713",
                "302007955615939091473769814165926974232",
                "138838629942511319016801371804450144799",
                "85857119893084953972032221252929689699",
                "263102628692895693081848348495429617013",
                "271038400235954996429477344837723342111"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75",
        "deprecated": false,
        "target": {
            "file": "hphp/runtime/base/zend-string.cpp"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2019-3561-c8e5caec",
        "signature_version": "v1",
        "digest": {
            "function_hash": "233803255982675561415569984624047836652",
            "length": 692.0
        },
        "source": "https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75",
        "deprecated": false,
        "target": {
            "function": "string_rfind",
            "file": "hphp/runtime/base/zend-string.cpp"
        },
        "signature_type": "Function"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3561.json"