CVE-2016-9936

EUVD-2016-10723
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Affected Products (NVD)
VendorProductVersion
phpphp
7.0.0
phpphp
7.0.1
phpphp
7.0.2
phpphp
7.0.3
phpphp
7.0.4
phpphp
7.0.5
phpphp
7.0.6
phpphp
7.0.7
phpphp
7.0.8
phpphp
7.0.9
phpphp
7.0.10
phpphp
7.0.11
phpphp
7.0.12
phpphp
7.0.13
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php7.0
precise
dne
trusty
dne
xenial
Fixed 7.0.15-0ubuntu0.16.04.2
released
yakkety
Fixed 7.0.15-0ubuntu0.16.10.2
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2017-01/msg00034.html
http://www.openwall.com/lists/oss-security/2016/12/12/2
http://www.php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/94849
https://access.redhat.com/errata/RHSA-2018:1296
https://bugs.php.net/bug.php?id=72978
https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17
http://lists.opensuse.org/opensuse-updates/2017-01/msg00034.html
http://www.openwall.com/lists/oss-security/2016/12/12/2
http://www.php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/94849
https://access.redhat.com/errata/RHSA-2018:1296
https://bugs.php.net/bug.php?id=72978
https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17