CVE-2021-24025

Name of the Vulnerable Software and Affected Versions: HHVM versions prior to 4.56.3 HHVM versions 4.57.0 through 4.80.1 HHVM versions 4.81.0 through 4.93.1 HHVM versions 4.94.0 through 4.98.0

Description: The issue is caused by incorrect string size calculations inside the preg quote function. A large input string passed to the function can trigger an integer overflow, leading to a heap overflow.

Recommendations: For versions prior to 4.56.3, update to version 4.56.3 or later. For versions 4.57.0 through 4.80.1, update to version 4.80.2 or later. For versions 4.81.0 through 4.93.1, update to version 4.93.2 or later. For versions 4.94.0 through 4.98.0, update to a version later than 4.98.0. As a temporary workaround, consider restricting the input to the preg quote function to prevent large input strings.