{"id":"CVE-2016-6870","details":"Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.","modified":"2026-04-11T05:00:38.272661Z","published":"2017-02-17T17:59:00.983Z","references":[{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/08/11/1"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/08/19/1"},{"type":"FIX","url":"https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"0"},{"last_affected":"c6bf714e6468213eed377527b431e9cd4cec1432"},{"fixed":"365abe807cab2d60dc9ec307292a06181f77a9c2"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.14.5"}]}}],"versions":["HHVM-3.14.0","HHVM-3.14.1","HHVM-3.14.2","HHVM-3.14.3","HHVM-3.14.4","HHVM-3.14.5","HPHP-2.1.0","gcc-4.6","pre-hhvm","src-hphp"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"length":743,"function_hash":"114867977983050212622086541014123241687"},"id":"CVE-2016-6870-2353ec81","target":{"function":"HHVM_FUNCTION","file":"hphp/runtime/ext/mbstring/ext_mbstring.cpp"},"source":"https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2","signature_version":"v1","signature_type":"Function"},{"deprecated":false,"digest":{"length":2008,"function_hash":"270621287774978279388612230843535800769"},"id":"CVE-2016-6870-2862bb51","target":{"function":"php_mb_parse_encoding_list","file":"hphp/runtime/ext/mbstring/ext_mbstring.cpp"},"source":"https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2","signature_version":"v1","signature_type":"Function"},{"deprecated":false,"digest":{"length":5763,"function_hash":"175255850959260944074864044220242170057"},"id":"CVE-2016-6870-a8421221","target":{"function":"HHVM_FUNCTION","file":"hphp/runtime/ext/mbstring/ext_mbstring.cpp"},"source":"https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2","signature_version":"v1","signature_type":"Function"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["81291799294188044419548885898863677444","334129936753055698817279323363287062517","119278207352512672874726475502463482756","77651973085436656010384534963122412574","94884553628404518757678110093925819778","260785380391309779635231137551516188119","16843447221246167481018524247081160718","47178538942963173336066979426644628877","290236221207822939983104984779229590118","325851553724617011024362058007504376690","253125444924017764730328807985166328798","43704474159867741125858855596264482691","257196312143380971199354157581017246090","207855001147430909639613377775071193721","18470550886304385424830755752223850259","163682291015810480412958215389671555798","325753258617333112613492363063622703908","162295224490180534297809903294035776501","270516219035561687025897415853200029503","121730556713594639371123614625056346901","245562915012402172616228977174907929715","232957166942843570282427365708910162210","115405333803912561378260058027951784897","161551525406625399162954204231453110010","45057152956111871477337737351579440918","172731990688014598911404433934925413503","27182391788903601565610132609166556725","202054158224965658132069364185701956394"]},"id":"CVE-2016-6870-d413b750","target":{"file":"hphp/runtime/ext/mbstring/ext_mbstring.cpp"},"source":"https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2","signature_version":"v1","signature_type":"Line"}],"vanir_signatures_modified":"2026-04-11T05:00:38Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6870.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}