Preface: The software reads data past the end, or before the beginning, of the intended buffer. It may allow access to sensitive memory. This is so called “out of bounds read”.

Technical background: HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP. HHVM uses a just-in-time (JIT) compilation approach to achieve superior performance. HHVM is developed by Facebook, so software developer for Facebook will select this technology.

Vulnerability details: Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory.

Impact: This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).

Facebook HHVM release resolution via following link: https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75