Use-after-free in PHP - CVE-2014-8142
Published: November 27, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU16100
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2014-8142
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4. A remote attacker can trigger memory corruption via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object and execute arbitrary code. Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
How to mitigate CVE-2014-8142
Install update from vendor's website.