CVE-2024-11235
Reference counting in php_request_shutdown causes Use-After-Free
8.1
HIGH
CVSS 3.1
EPSS 0.57%
Description
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
How to fix CVE-2024-11235
To remediate CVE-2024-11235, upgrade the affected package to a fixed version below.
- —upgrade to 8.3.19 or later
- —upgrade to 8.3.19 or later
- —upgrade to 8.3.19 or later
- —upgrade to 8.4.5-1 or later
Is CVE-2024-11235 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5
- >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5
- >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5
- from 0, < 8.4.5-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |