#VU523 Arbitrary code execution in PHP


Published: 2016-09-19

Vulnerability identifier: #VU523

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2016-7416

CWE-ID: CWE-284

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by memory corruption in local data handling that allows a malicious user to get access to the system and cause arbitrary code execution.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation
Update to 5.6.26.
http://php.net/ChangeLog-5.php#5.6.26
Update to 7.0.11.
http://php.net/ChangeLog-7.php#7.0.11

Vulnerable software versions

PHP: 7.0.11, 5.6.26

CPE

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Red Hat update for php
SUSE Linux update for php5
Arbitrary code execution in php (Alpine package)
OpenSUSE Linux update for php5
SUSE Linux update for php5
SUSE Linux update for php53
SUSE Linux update for php53
OpenSUSE Linux update for php5
Slackware Linux update for php
Arch Linux update for php