{"api_version":"1","generated_at":"2026-04-23T04:33:08+00:00","cve":"CVE-2018-6337","urls":{"html":"https://cve.report/CVE-2018-6337","api":"https://cve.report/api/cve/CVE-2018-6337.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-6337","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-6337"},"summary":{"title":"CVE-2018-6337","description":"folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.","state":"PUBLIC","assigner":"cve-assign@fb.com","published_at":"2018-12-31 22:29:00","updated_at":"2019-10-09 23:41:00"},"problem_types":["CWE-119"],"metrics":[],"references":[{"url":"https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8","name":"https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"[security][CVE-2018-6337] Flush folly::secureRandom buffer on fork · facebook/hhvm@e2d10a1 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html","name":"https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"HHVM 3.26.3 | HHVM","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f","name":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Flush secureRandom buffer on fork · facebook/folly@8e927ee · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-6337","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6337","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"6337","vulnerable":"1","versionEndIncluding":"2018.08.09.00","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"facebook","cpe5":"folly","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"6337","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"facebook","cpe5":"hhvm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"6337","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"facebook","cpe5":"hhvm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve-assign@fb.com","DATE_ASSIGNED":"2018-05-24","ID":"CVE-2018-6337","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"HHVM","version":{"version_data":[{"version_affected":"!=>","version_value":"3.26.3"},{"version_affected":">=","version_value":"3.26.0"},{"version_affected":"!<","version_value":"3.26.0"}]}}]},"vendor_name":"Facebook"},{"product":{"product_data":[{"product_name":"folly","version":{"version_data":[{"version_affected":"!=>","version_value":"v2018.08.09.00"},{"version_affected":">=","version_value":"v2017.12.11.00"},{"version_affected":"!<","version_value":"v2017.12.11.00"}]}}]},"vendor_name":"Facebook"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Cross-boundary Removal of Sensitive Data (CWE-212)"}]}]},"references":{"reference_data":[{"name":"https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html","refsource":"MISC","url":"https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html"},{"name":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f","refsource":"MISC","url":"https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f"},{"name":"https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8","refsource":"MISC","url":"https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8"}]}},"nvd":{"publishedDate":"2018-12-31 22:29:00","lastModifiedDate":"2019-10-09 23:41:00","problem_types":["CWE-119"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:facebook:folly:*:*:*:*:*:*:*:*","versionStartIncluding":"2017.12.11.00","versionEndIncluding":"2018.08.09.00","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*","versionStartIncluding":"3.26","versionEndExcluding":"3.26.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"6337","Ordinal":"122400","Title":"CVE-2018-6337","CVE":"CVE-2018-6337","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"6337","Ordinal":"1","NoteData":"folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"6337","Ordinal":"2","NoteData":"2018-12-31","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"6337","Ordinal":"3","NoteData":"2018-12-31","Type":"Other","Title":"Modified"}]}}}