Vulnerability identifier: #VU7347
Vulnerability risk: Low
Exploitation vector: Network
Exploit availability: No
Vendor: PHP Group
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the mbstring due to an error in handling of reg->dmin in forward_search_range(). A remote attacker can trigger stack out-of-bounds read in mbc_enc_len() during regular expression searching and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
Vulnerable software versions
PHP: 7.0.0 - 7.0.20
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?