{"id":"CVE-2018-6337","details":"folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.","modified":"2026-04-11T08:05:27.371552Z","published":"2018-12-31T22:29:00.247Z","references":[{"type":"ADVISORY","url":"https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html"},{"type":"FIX","url":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f"},{"type":"FIX","url":"https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/folly","events":[{"introduced":"712b8b8de747960ceeceedfd3a18ee23a0c03a80"},{"last_affected":"c4fca6d0852bc68b1387c755be7a22710af70cb3"},{"fixed":"8e927ee48b114c8a2f90d0cbd5ac753795a6761f"}],"database_specific":{"versions":[{"introduced":"2017.12.11.00"},{"last_affected":"2018.08.09.00"}]}},{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"a20c2a7761b782faf1635dfe2f1f8f0df438196d"},{"fixed":"cea63133cb066ebff74f9fc42789fa2017beab55"},{"fixed":"e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8"}],"database_specific":{"versions":[{"introduced":"3.26"},{"fixed":"3.26.3"}]}}],"versions":["HHVM-3.26.0","HHVM-3.26.1","HHVM-3.26.2","v2017.12.11.00","v2017.12.18.00","v2017.12.25.00","v2018.01.01.00","v2018.01.08.00","v2018.01.15.00","v2018.01.22.00","v2018.01.29.00","v2018.02.05.00","v2018.02.12.00","v2018.02.19.00","v2018.02.26.00","v2018.03.05.00","v2018.03.12.00","v2018.03.19.00","v2018.03.26.00","v2018.04.02.00","v2018.04.09.00","v2018.04.16.00","v2018.04.23.00","v2018.04.30.00","v2018.05.07.00","v2018.05.14.00","v2018.05.21.00","v2018.05.28.00","v2018.06.04.00","v2018.06.11.00","v2018.06.18.00","v2018.06.25.00","v2018.07.02.00","v2018.07.09.00","v2018.07.16.00","v2018.07.23.00","v2018.07.30.00","v2018.08.06.00","v2018.08.09.00"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","digest":{"function_hash":"284036517926769522446303472293932871264","length":167},"id":"CVE-2018-6337-26c63d9e","deprecated":false,"target":{"file":"folly/Random.cpp","function":"BufferedRandomDevice::BufferedRandomDevice"},"signature_version":"v1","source":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["177920330538644327192225453200305065783","59911639472083442187456794245162808999","65172725879389982502094016348740295630","17990193584615700481737216549983378364","209095503057375019683009475243350527423","296410358608657755139750410745821126905","6183588544461503112388437451448205621","235905810367433042539041352614098937893","13633877825802383340203296441577109962","34706653758255140459594012130281298023","323743310232915005554048423781952476189","106311966400258842219023665560878942543","230258836968319331137014607436219812468","20826410772747688904839131406196838226","117656596208525043926138988524382117691"]},"id":"CVE-2018-6337-8d3baadc","deprecated":false,"target":{"file":"folly/Random.cpp"},"signature_version":"v1","source":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["32876589609925362676926719200585395072","109574309600017076406065776388583700439","281574740350394436842520560909858709910","140335216194151808759673220052749435881"]},"id":"CVE-2018-6337-9642f365","deprecated":false,"target":{"file":"hphp/runtime/version.h"},"signature_version":"v1","source":"https://github.com/facebook/hhvm/commit/cea63133cb066ebff74f9fc42789fa2017beab55"}],"vanir_signatures_modified":"2026-04-11T08:05:27Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-6337.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}