Vulnerability identifier: #VU7345
Vulnerability risk: Low
Exploitation vector: Network
Exploit availability: No
Vendor: PHP Group
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the mbstring due to stack out-of-bounds read in match_at() during regular expression searching. A remote attacker can trigger a logical error involving order of validation and access in match_at() and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
Vulnerable software versions
PHP: 7.0.0 - 7.0.20
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?