CVE-2019-11926

Name of the Vulnerable Software and Affected Versions HHVM versions prior to 3.30.9 HHVM versions 4.0.0 through 4.8.3 HHVM versions 4.9.0 through 4.15.2 HHVM versions 4.16.0 through 4.16.3 HHVM versions 4.17.0 through 4.17.2 HHVM versions 4.18.0 through 4.18.1 HHVM version 4.19.0 HHVM versions 4.20.0 through 4.20.1

Description The issue is caused by insufficient boundary checks when processing M SOFx markers from JPEG headers in the GD extension. This could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input.

Recommendations For versions prior to 3.30.9, update to version 3.30.9 or later. For versions 4.0.0 through 4.8.3, update to a version outside of this range. For versions 4.9.0 through 4.15.2, update to a version outside of this range. For versions 4.16.0 through 4.16.3, update to a version outside of this range. For versions 4.17.0 through 4.17.2, update to a version outside of this range. For versions 4.18.0 through 4.18.1, update to a version outside of this range. For version 4.19.0, update to a version outside of this range. For versions 4.20.0 through 4.20.1, update to a version outside of this range. As a temporary workaround, consider disabling the GD extension until a patch is available.