CVE-2022-31627

In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
phpCNA
7.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
phpphp
8.1.0 ≤
𝑥
< 8.1.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
7.4.33-1+deb11u5
fixed
bullseye (security)
7.4.33-1+deb11u6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
kinetic
dne
jammy
dne
impish
dne
focal
dne
bionic
dne
xenial
dne
trusty
not-affected
php7.0
kinetic
dne
jammy
dne
impish
dne
focal
dne
bionic
dne
xenial
not-affected
trusty
dne
php7.2
kinetic
dne
jammy
dne
impish
dne
focal
dne
bionic
not-affected
xenial
dne
trusty
dne
php7.4
kinetic
dne
jammy
dne
impish
dne
focal
not-affected
bionic
dne
xenial
dne
trusty
dne
php8.0
kinetic
dne
jammy
dne
impish
not-affected
focal
dne
bionic
dne
xenial
dne
trusty
dne
php8.1
kinetic
Fixed 8.1.5-1ubuntu3
released
jammy
Fixed 8.1.2-1ubuntu2.2
released
impish
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://bugs.php.net/bug.php?id=81723
https://security.gentoo.org/glsa/202209-20
https://security.netapp.com/advisory/ntap-20220826-0008/
https://bugs.php.net/bug.php?id=81723
https://security.gentoo.org/glsa/202209-20
https://security.netapp.com/advisory/ntap-20220826-0008/