CVE-2014-5386 : The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext

The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector.

Published 2014-12-28 15:59:02

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2014-5386

Facebook » Hiphop Virtual Machine
Versions up to, including, (<=) 3.2.0
cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-5386

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 45 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-5386

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-5386

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-5386

https://github.com/facebook/hhvm/commit/ab6fdeb84fb090b48606b6f7933028cfe7bf3a5e

Fix mcrypt_create_iv(..., MCRYPT_RAND) to auto-seed RNG · facebook/hhvm@ab6fdeb · GitHub

Jump to

Vulnerability Details : CVE-2014-5386

Products affected by CVE-2014-5386

Exploit prediction scoring system (EPSS) score for CVE-2014-5386

CVSS scores for CVE-2014-5386

CWE ids for CVE-2014-5386

References for CVE-2014-5386