Null pointer dereference in php7 (Alpine package)

Published: 2017-07-07
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-9229
Exploitation vector Network
Public exploit N/A
Vulnerable software
php7 (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Null pointer dereference


Risk: Low


CVE-ID: CVE-2017-9229

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists in the mbstring due to an error in handling of reg->dmin in forward_search_range(). A remote attacker can trigger SIGSEGV in left_adjust_char_head() during regular expression compilation, cause NULL pointer dereference and the application to crash.

Successful exploitation of the vulnerability results in denial of service.


Install update from vendor's website.

Vulnerable software versions

php7 (Alpine package): 7.0.7-r0 - 7.0.21-r0

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?