{"id":"CVE-2016-6873","details":"Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.","modified":"2026-02-09T04:04:05.187357Z","published":"2017-02-17T17:59:01.077Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/08/11/1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/08/19/1"},{"type":"FIX","url":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2016/08/11/1"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2016/08/19/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"0"},{"fixed":"e264f04ae825a5d97758130cf8eec99862517e7e"}]}],"versions":["HPHP-2.1.0","gcc-4.6","pre-hhvm","src-hphp"],"database_specific":{"vanir_signatures":[{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"HHVM_FUNCTION"},"id":"CVE-2016-6873-02e50422","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"length":303,"function_hash":"125610103184926962950582925333815305707"},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"php_array_merge_recursive"},"id":"CVE-2016-6873-04b4ae07","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"length":796,"function_hash":"85853746093120045721078706061501071445"},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"couldRecur"},"id":"CVE-2016-6873-6f317480","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"length":223,"function_hash":"146266446582745356990202896584287219025"},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"php_array_replace_recursive"},"id":"CVE-2016-6873-7c3b86f0","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"length":872,"function_hash":"328442204768296124416267005031122186472"},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp"},"id":"CVE-2016-6873-a91737e7","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"line_hashes":["97361547630027322574222647014124852281","78903862613093397262113004768607414511","76765149538626271068897607737099354073","321476246634189679197177953373852899976","248672525003541227847887461059484603905","195485375378949632513157155182160058284","71886400786605584585836567979641842149","338626650070849102615054970750623059441","86125372370983923170963321836882601909","289725860449185516231204320354585492073","257334469680627901587349474656674537328","154849570881591230381242151849890572849","326805423876088448169918127897408315408","337807628311309867437776118780534299514","312758995874743756866805394665251027946","98317148521411626441563381943965899622","39295752359109139992725667355539978079","101401039760345960202110396765246996862","217587960885088870813847440557907263039","229527666502967812146007611241585244051","15695188223898260009332610533408179547","75344745195936675426714391345725018353","126954964390694268661484508007218851362","272005485538011712676942871332506373561","287359401698848343517626337763810182055","238435803054599643781881065999149726119","136575586570090622231093315131856701782","87586029857131106200540775548874032624","272005485538011712676942871332506373561","287359401698848343517626337763810182055","238435803054599643781881065999149726119","136575586570090622231093315131856701782","87586029857131106200540775548874032624"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line"},{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"HHVM_FUNCTION"},"id":"CVE-2016-6873-d8b290bd","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"length":355,"function_hash":"190016695376741468043394676901712689603"},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"target":{"file":"hphp/runtime/ext/array/ext_array.cpp","function":"compact"},"id":"CVE-2016-6873-e16f98da","source":"https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e","digest":{"length":437,"function_hash":"23110508029818134001336601187523389830"},"signature_version":"v1","deprecated":false,"signature_type":"Function"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6873.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}