CVE-2022-31627
Heap buffer overflow in finfo_buffer
9.8
CRITICAL
CVSS 3.1
EPSS 0.31%
Description
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
How to fix CVE-2022-31627
To remediate CVE-2022-31627, upgrade the affected package to a fixed version below.
- Bitnami/libphp—upgrade to 8.1.8 or later
- —upgrade to 8.1.8 or later
- —upgrade to 8.1.8 or later
Is CVE-2022-31627 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 8.1.0, < 8.1.8
- >= 8.1.0, < 8.1.8
- >= 8.1.0, < 8.1.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |