Login Sign Up

CVE-2016-1000005

9.8 CRITICAL

📋 TL;DR

This CVE involves a type confusion vulnerability in HHVM's mcrypt_get_block_size function where the 'module' parameter wasn't properly validated as a string. Attackers could exploit this to potentially execute arbitrary code or cause denial of service. Affected are HHVM installations in specific version ranges prior to the fix.

💻 Affected Systems

Products:
  • HHVM (HipHop Virtual Machine)
Versions: Versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive)
Operating Systems: All operating systems running HHVM
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the mcrypt_get_block_size function with untrusted input is vulnerable

📦 What is this software?

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Application crash or denial of service

🟢

If Mitigated

Limited impact if proper input validation and type checking are implemented

🌐 Internet-Facing: HIGH - Web applications using vulnerable HHVM versions are directly exposed
🏢 Internal Only: MEDIUM - Internal applications still vulnerable but with reduced attack surface

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific input to trigger type confusion

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.5, 3.12.4, or 3.14.2 and later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2016-1000005

Restart Required: Yes

Instructions:

1. Identify current HHVM version. 2. Upgrade to 3.9.5, 3.12.4, or 3.14.2+. 3. Restart HHVM service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Disable mcrypt extension

all

Remove or disable the mcrypt extension if not required

Remove mcrypt.so from HHVM configuration or disable via ini settings

Input validation wrapper

all

Implement strict type checking before calling mcrypt_get_block_size

Wrap mcrypt_get_block_size calls with is_string() checks

🧯 If You Can't Patch

  • Implement strict input validation for all parameters passed to mcrypt_get_block_size
  • Isolate HHVM instances behind firewalls and restrict network access

🔍 How to Verify

Check if Vulnerable:

Check HHVM version with 'hhvm --version' and compare against affected ranges

Check Version:

hhvm --version

Verify Fix Applied:

Verify version is 3.9.5+, 3.12.4+, or 3.14.2+ and test mcrypt_get_block_size with various input types

📡 Detection & Monitoring

Log Indicators:

  • HHVM crashes, segmentation faults, or abnormal termination logs

Network Indicators:

  • Unusual requests to endpoints using mcrypt functions

SIEM Query:

source="hhvm.log" AND ("segmentation fault" OR "type confusion" OR "mcrypt_get_block_size")

📊 Metadata

CVE ID: CVE-2016-1000005
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: February 19, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-1000005, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)