{"id":"CVE-2019-3561","details":"Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).","modified":"2026-04-11T09:46:12.569007Z","published":"2019-04-29T16:29:00.890Z","references":[{"type":"ADVISORY","url":"https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75"},{"type":"ADVISORY","url":"https://hhvm.com/blog/2019/04/03/hhvm-4.0.4.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"0"},{"last_affected":"c686c4b95e014efb7c66ea7e5967ad51a057630c"},{"introduced":"f0ad4879d6bee987a31c543ee57cc69b3741416b"},{"last_affected":"4b4b965f1a0b3cd2f67500c9e7e90361cd0194da"},{"introduced":"7d4f701b9ed004452d695fce4e1ef8f48babbf39"},{"last_affected":"d642bb525d6259c5757b37a2d253fc760fc71e07"},{"fixed":"46003b4ab564b2abcd8470035fc324fe36aa8c75"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.27.7"},{"introduced":"3.28.0"},{"last_affected":"3.30.4"},{"introduced":"4.0.0"},{"last_affected":"4.0.3"}]}}],"versions":["HHVM-3.27.0","HHVM-3.27.1","HHVM-3.27.2","HHVM-3.27.3","HHVM-3.27.4","HHVM-3.27.5","HHVM-3.27.6","HHVM-3.27.7","HHVM-3.30.0","HHVM-3.30.1","HHVM-3.30.2","HHVM-3.30.3","HHVM-3.30.4","HHVM-4.0.0","HHVM-4.0.1","HHVM-4.0.2","HHVM-4.0.3","HPHP-2.1.0","gcc-4.6","nightly-2019.03.28","nightly-2019.03.29","nightly-2019.03.30","nightly-2019.03.31","nightly-2019.04.01","nightly-2019.04.02","nightly-2019.04.03","nightly-2019.04.04","nightly-2019.04.05","nightly-2019.04.06","pre-hhvm","src-hphp"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3561.json","vanir_signatures_modified":"2026-04-11T09:46:12Z","vanir_signatures":[{"id":"CVE-2019-3561-3ddd119f","source":"https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75","signature_version":"v1","target":{"file":"hphp/runtime/base/zend-string.cpp"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["237452518112066165983525395992909300297","201214131138209606689671867247993415808","54610128377508543250730928848483970785","242789402674019831977301466791096821524","336500895925397030468145046104198748865","240456634794077132233795511227815704682","317974168923229943747046666349420255385","292506728868866469570125519499549710225","302443854434745939084252164859834459713","302007955615939091473769814165926974232","138838629942511319016801371804450144799","85857119893084953972032221252929689699","263102628692895693081848348495429617013","271038400235954996429477344837723342111"]}},{"id":"CVE-2019-3561-c8e5caec","source":"https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75","signature_version":"v1","target":{"function":"string_rfind","file":"hphp/runtime/base/zend-string.cpp"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"233803255982675561415569984624047836652","length":692}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}