Heap-based buffer overflow in PHP - CVE-2016-4344
Published: May 22, 2016 / Updated: June 8, 2025
Vulnerability identifier: #VU110254
CSH Severity: High
CVSS v4.0:
CVE-ID: CVE-2016-4344
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4. A remote attacker can use a long argument to the utf8_encode function to trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2016-4344
Install update from vendor's website.