CVE-2021-24036 vulnerability in Facebook Products

CVE-2021-24036 vulnerability in Facebook Products
Published on July 23, 2021

Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.

Weakness Type

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Products Associated with CVE-2021-24036

stack.watch emails you whenever new vulnerabilities are published in Facebook Folly or Facebook Hhvm. Just hit a watch button to start following.

Affected Versions

Version v2021.07.22.00 and below unspecified is unaffected.

Version unspecified and below v2021.07.22.00 is affected.

Version 4.118.2 and below unspecified is unaffected.

Version 4.118.0 and below unspecified is affected.

Version 4.117.1 and below unspecified is unaffected.

Version 4.117.0 is affected.

Version 4.116.1 and below unspecified is unaffected.

Version 4.116.0 is affected.

Version 4.115.1 and below unspecified is unaffected.

Version 4.115.0 is affected.

Version 4.114.1 and below unspecified is unaffected.

Version 4.114.0 is affected.

Version 4.113.1 and below unspecified is unaffected.

Version 4.113.0 is affected.

Version 4.102.2 and below unspecified is unaffected.

Version 4.102.0 and below unspecified is affected.

Version 4.81.0 and below unspecified is affected.

Version 4.80.5 and below unspecified is unaffected.

Version unspecified and below 4.80.5 is affected.

Exploit Probability

EPSS

6.19%

Percentile

90.83%