#VU527 Arbitrary code execution in PHP

Published: 2016-09-19

Vulnerability identifier: #VU527

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7413


Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Universal components / Libraries / Scripting languages

Vendor: PHP Group

The vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by use-after-free memory error in wddx_deserialize() that allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Update to 5.6.26.
Update to 7.0.11.

Vulnerable software versions

PHP: 7.0.11, 5.6.26

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability