{"id":"CVE-2016-6874","details":"The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion.","modified":"2026-04-11T05:00:37.969916Z","published":"2017-02-17T17:59:01.107Z","references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/08/11/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/08/19/1"},{"type":"FIX","url":"https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"0"},{"last_affected":"c6bf714e6468213eed377527b431e9cd4cec1432"},{"fixed":"05e706d98f748f609b19d8697e490eaab5007d69"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.14.5"}]}}],"versions":["HHVM-3.14.0","HHVM-3.14.1","HHVM-3.14.2","HHVM-3.14.3","HHVM-3.14.4","HHVM-3.14.5","HPHP-2.1.0","gcc-4.6","pre-hhvm","src-hphp"],"database_specific":{"vanir_signatures_modified":"2026-04-11T05:00:37Z","vanir_signatures":[{"deprecated":false,"signature_type":"Line","target":{"file":"hphp/runtime/ext/array/ext_array.cpp"},"id":"CVE-2016-6874-207ac9cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["324247740309630521115589608990939988504","335750478192012260655971691356011688207","46446102900497316475451323173952594154","75077608069427058602842329227235451618","286850605412566815144188951489854011006","102350789432461512915709869307434253297","11992210492932708662020986672095953295","96541618567299656324036554832340713154","287987783272091551619676840723976416867","76723312320879177241146209010113864322","14965768866555468680685048412271946899","32654622056269986734918028361247702883","258067032364881064242744511351530767986","339677967546808269503825200457957630033","17868266607999902140566336309301784573","112267562859984124688696118976752895906","208238379068141505509545204773058179421","231795011785782997988303847409322158337","249509477502516722321571257331609155189","302039163828202594852819094002668849110","284625939122734712611562239072655415047","287987783272091551619676840723976416867","76723312320879177241146209010113864322","36992198812113560366143763883480265685","137156166752827045245228083482232286427","311388789219197017852407647507433882562","12194972003207476065479201736049253129","285284535287183656764120030100354821641","11022638693122604303501856303510237180"]},"source":"https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69"},{"deprecated":false,"signature_type":"Function","target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"php_array_merge_recursive"},"id":"CVE-2016-6874-9e0751aa","signature_version":"v1","digest":{"length":859,"function_hash":"281478178171380079084547508586386098647"},"source":"https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69"},{"deprecated":false,"signature_type":"Function","target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"php_array_replace_recursive"},"id":"CVE-2016-6874-f8b84f98","signature_version":"v1","digest":{"length":880,"function_hash":"212107817504556648157856086243023831790"},"source":"https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6874.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}