Vulnerability identifier: #VU7348
Vulnerability risk: High
Exploitation vector: Network
Exploit availability: No
Vendor: PHP Group
The vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists in the mbstring due to heap out-of-bounds write in bitset_set_range() during regular expression compilation due to incorrect state transition in parse_char_class(). A remote attacker can trigger out-of-bounds write memory corruption and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
Vulnerable software versions
PHP: 7.0.0 - 7.0.20
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?