CVE-2016-9936
Published: 4 January 2017
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
php7.0 Launchpad, Ubuntu, Debian |
upstream |
Released
(7.0.14)
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
xenial |
Released
(7.0.15-0ubuntu0.16.04.2)
|
|
yakkety |
Released
(7.0.15-0ubuntu0.16.10.2)
|
|
Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=b2af4e8868726a040234de113436c6e4f6372d17 |