CVE-2018-6345
First published: Tue Jan 15 2019(Updated: )
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below).
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook HHVM | <=3.27.5 | |
| Facebook HHVM | >=3.28.0<=3.30.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-6345?
CVE-2018-6345 is a vulnerability associated with the function number_format in Facebook HHVM, which can lead to a heap overflow issue.
How does CVE-2018-6345 affect Facebook HHVM?
CVE-2018-6345 affects Facebook HHVM versions 3.27.5 up to and including 3.30.1.
What is the severity of CVE-2018-6345?
CVE-2018-6345 has a severity rating of critical with a CVSS score of 9.8.
How can CVE-2018-6345 be exploited?
CVE-2018-6345 can be exploited by passing an excessively large value as the second argument ($dec_points) to the number_format function.
How can I fix CVE-2018-6345?
To fix CVE-2018-6345, update your version of Facebook HHVM to 3.30.2 or later, as it includes a fix for this vulnerability.
- collector/nvd-index
- agent/references
- agent/type
- vendor/facebook
- canonical/facebook hhvm
- version/facebook hhvm/3.27.5
- version/facebook hhvm/3.28.0
- version/facebook hhvm/3.30.1