{"id":"CVE-2019-11936","details":"Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.","modified":"2026-04-11T08:55:48.880715Z","published":"2019-12-04T17:16:43.617Z","references":[{"type":"ADVISORY","url":"https://hhvm.com/blog/2019/10/28/security-update.html"},{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2019-11936"},{"type":"FIX","url":"https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"0"},{"fixed":"abe9500970b23bc9c385bf18a15bd38e830859a6"},{"introduced":"7d4f701b9ed004452d695fce4e1ef8f48babbf39"},{"last_affected":"8384c051684f8bd1a8b0238a25b2ef4c9e3463d0"},{"introduced":"0abb3b0c92e938bb7dac2d0c1603c5866e2a035b"},{"last_affected":"0ebbb8cc2ba783424d555f4267c0e27b6731e070"},{"introduced":"0"},{"last_affected":"e3998b66312ebadd59b3a825f489a25bdb6f4ad3"},{"introduced":"0"},{"last_affected":"43e809390bc1262b277edaeff792354b8e01de2f"},{"introduced":"0"},{"last_affected":"5ba03af3e90602d6bd298090657f4922a2b74c26"},{"introduced":"0"},{"last_affected":"9042e689c1e8ab209bfa0c49e8fcb4b4f750e91a"},{"introduced":"0"},{"last_affected":"08a65067d1285909b5e76025f0664fb9a19188ab"},{"introduced":"0"},{"last_affected":"3f60b1f405b36bec6d85b4070ac066710f584032"},{"fixed":"f57df6d8cf33cb14c40f52287da29360e7003373"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.30.12"},{"introduced":"4.0.0"},{"last_affected":"4.8.5"},{"introduced":"4.9.0"},{"last_affected":"4.23.1"},{"introduced":"0"},{"last_affected":"4.24.0"},{"introduced":"0"},{"last_affected":"4.25.0"},{"introduced":"0"},{"last_affected":"4.26.0"},{"introduced":"0"},{"last_affected":"4.27.0"},{"introduced":"0"},{"last_affected":"4.28.0"},{"introduced":"0"},{"last_affected":"4.28.1"}]}}],"versions":["HHVM-3.30.0","HHVM-3.30.1","HHVM-3.30.10","HHVM-3.30.11","HHVM-3.30.2","HHVM-3.30.3","HHVM-3.30.4","HHVM-3.30.5","HHVM-3.30.6","HHVM-3.30.7","HHVM-3.30.8","HHVM-3.30.9","HHVM-4.23.0","HHVM-4.23.1","HHVM-4.24.0","HHVM-4.25.0","HHVM-4.26.0","HHVM-4.27.0","HHVM-4.28.0","HHVM-4.28.1","HHVM-4.8.0","HHVM-4.8.1","HHVM-4.8.2","HHVM-4.8.3","HHVM-4.8.4","HHVM-4.8.5","HPHP-2.1.0","gcc-4.6","nightly-2019.03.28","nightly-2019.03.29","nightly-2019.03.30","nightly-2019.03.31","nightly-2019.04.01","nightly-2019.04.02","nightly-2019.04.03","nightly-2019.04.04","nightly-2019.04.05","nightly-2019.04.06","nightly-2019.04.07","nightly-2019.04.08","nightly-2019.04.09","nightly-2019.04.10","nightly-2019.04.11","nightly-2019.04.12","nightly-2019.04.13","nightly-2019.04.14","nightly-2019.04.15","nightly-2019.04.16","nightly-2019.04.17","nightly-2019.04.18","nightly-2019.04.19","nightly-2019.04.20","nightly-2019.04.21","nightly-2019.04.22","nightly-2019.04.23","nightly-2019.04.24","nightly-2019.04.25","nightly-2019.04.26","nightly-2019.04.27","nightly-2019.04.28","nightly-2019.04.29","nightly-2019.04.30","nightly-2019.05.01","nightly-2019.05.02","nightly-2019.05.03","nightly-2019.05.04","nightly-2019.05.05","nightly-2019.05.06","nightly-2019.05.07","nightly-2019.05.08","nightly-2019.05.09","nightly-2019.05.10","nightly-2019.05.11","nightly-2019.05.12","nightly-2019.05.13","nightly-2019.05.14","nightly-2019.05.15","nightly-2019.05.16","nightly-2019.05.17","nightly-2019.05.18","nightly-2019.05.19","nightly-2019.05.20","nightly-2019.05.21","nightly-2019.05.22","nightly-2019.05.23","nightly-2019.05.24","nightly-2019.05.25","nightly-2019.05.26","nightly-2019.05.27","nightly-2019.05.28","nightly-2019.05.29","nightly-2019.05.30","nightly-2019.05.31","nightly-2019.06.01","nightly-2019.06.02","nightly-2019.06.03","nightly-2019.06.04","nightly-2019.06.05","nightly-2019.06.06","nightly-2019.06.07","nightly-2019.06.08","nightly-2019.06.09","nightly-2019.06.10","nightly-2019.06.11","nightly-2019.06.12","nightly-2019.06.13","nightly-2019.06.14","nightly-2019.06.15","nightly-2019.06.16","nightly-2019.06.17","nightly-2019.06.18","nightly-2019.06.19","nightly-2019.06.20","nightly-2019.06.21","nightly-2019.06.22","nightly-2019.06.23","nightly-2019.06.24","nightly-2019.06.25","nightly-2019.06.26","nightly-2019.06.27","nightly-2019.06.28","nightly-2019.06.29","nightly-2019.06.30","nightly-2019.07.01","nightly-2019.07.02","nightly-2019.07.03","nightly-2019.07.04","nightly-2019.07.05","nightly-2019.07.06","nightly-2019.07.07","nightly-2019.07.08","nightly-2019.07.09","nightly-2019.07.10","nightly-2019.07.11","nightly-2019.07.12","nightly-2019.07.13","nightly-2019.07.14","nightly-2019.07.15","nightly-2019.07.16","nightly-2019.07.17","nightly-2019.07.18","nightly-2019.07.19","nightly-2019.07.20","nightly-2019.07.21","nightly-2019.07.22","nightly-2019.07.23","nightly-2019.07.24","nightly-2019.07.25","nightly-2019.07.26","nightly-2019.07.27","nightly-2019.07.28","nightly-2019.07.29","nightly-2019.07.30","nightly-2019.07.31","nightly-2019.08.01","nightly-2019.08.02","nightly-2019.08.03","nightly-2019.08.04","nightly-2019.08.05","nightly-2019.08.06","nightly-2019.08.07","nightly-2019.08.08","nightly-2019.08.09","nightly-2019.08.10","nightly-2019.08.11","nightly-2019.08.12","nightly-2019.08.13","nightly-2019.08.14","nightly-2019.08.15","nightly-2019.08.16","nightly-2019.08.17","nightly-2019.08.18","nightly-2019.08.19","nightly-2019.08.20","nightly-2019.08.21","nightly-2019.08.22","nightly-2019.08.23","nightly-2019.08.24","nightly-2019.08.25","nightly-2019.08.26","nightly-2019.08.27","nightly-2019.08.28","nightly-2019.08.29","nightly-2019.08.30","nightly-2019.08.31","nightly-2019.09.01","nightly-2019.09.02","nightly-2019.09.03","nightly-2019.09.04","nightly-2019.09.05","nightly-2019.09.06","nightly-2019.09.07","nightly-2019.09.08","nightly-2019.09.09","nightly-2019.09.10","nightly-2019.09.11","nightly-2019.09.12","nightly-2019.09.13","nightly-2019.09.14","nightly-2019.09.15","nightly-2019.09.16","nightly-2019.09.17","nightly-2019.09.18","nightly-2019.09.19","nightly-2019.09.20","nightly-2019.09.21","nightly-2019.09.22","nightly-2019.09.23","nightly-2019.09.24","nightly-2019.09.25","nightly-2019.09.26","nightly-2019.09.27","nightly-2019.09.28","nightly-2019.09.29","nightly-2019.09.30","nightly-2019.10.01","nightly-2019.10.02","nightly-2019.10.03","nightly-2019.10.04","nightly-2019.10.05","nightly-2019.10.06","nightly-2019.10.07","nightly-2019.10.08","nightly-2019.10.09","nightly-2019.10.10","nightly-2019.10.11","nightly-2019.10.12","nightly-2019.10.13","nightly-2019.10.14","nightly-2019.10.15","nightly-2019.10.16","nightly-2019.10.17","nightly-2019.10.18","nightly-2019.10.19","nightly-2019.10.20","nightly-2019.10.21","nightly-2019.10.22","nightly-2019.10.23","nightly-2019.10.24","nightly-2019.10.25","nightly-2019.10.26","nightly-2019.10.27","nightly-2019.10.28","pre-hhvm","src-hphp"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11936.json","vanir_signatures":[{"id":"CVE-2019-11936-79335f36","target":{"file":"hphp/runtime/ext/apc/ext_apc.cpp","function":"HHVM_FUNCTION"},"source":"https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373","deprecated":false,"signature_type":"Function","digest":{"function_hash":"302786188655341176538009649730954679767","length":182},"signature_version":"v1"},{"id":"CVE-2019-11936-a3c0dc26","target":{"file":"hphp/runtime/ext/apc/ext_apc.cpp"},"source":"https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["272383221625612781565429246263297881767","319797992090862512114749734969686443669","295831921326286298335842687405207353372","305562886381209043231772599449180369822","115560305413547634008857972826653056104","83240489537598737171175316379002323875","23114098130925324082306240880706608492","243880614582201667003046830805013707849","95289273938295999470573582580578174719","152800414575430260398438250564844505240","95883931890617597031057289183021201189","234172858145200805186308859744956047050","26169654246667068205173203889196660775","164607987509991891595275927492239586575","39059742752132932642733486614628754354","21388373989700720146858304177976489201","11920046040157090883958568676035442728","307981881315057116297410874488175117134","231425135890221893554356768638438099619","54148143155449799308330083378500776720","325043648044835681911180789382899178307","101299609180267778840631744430142036223","288869218235139172390023271261607537686","317283546901582461892172850792465514514","287027819856495634762601197117942961686"]},"signature_version":"v1"},{"id":"CVE-2019-11936-ad688d4d","target":{"file":"hphp/runtime/version.h"},"source":"https://github.com/facebook/hhvm/commit/abe9500970b23bc9c385bf18a15bd38e830859a6","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["133668036051771783543419871597262375468","129641396530610067548535575096508259636","304861650904458673854477435002975464077","140335216194151808759673220052749435881"]},"signature_version":"v1"},{"id":"CVE-2019-11936-bd71796f","target":{"file":"hphp/runtime/ext/apc/ext_apc.cpp","function":"HHVM_FUNCTION"},"source":"https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373","deprecated":false,"signature_type":"Function","digest":{"function_hash":"95810590965850853596851980356340311974","length":711},"signature_version":"v1"},{"id":"CVE-2019-11936-c9d09532","target":{"file":"hphp/runtime/ext/apc/ext_apc.cpp","function":"HHVM_FUNCTION"},"source":"https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373","deprecated":false,"signature_type":"Function","digest":{"function_hash":"211753672372970894029616592572861779238","length":760},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T08:55:48Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}