CVE-2024-8926

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

How to fix CVE-2024-8926

To remediate CVE-2024-8926, upgrade the affected package to a fixed version below.

• —upgrade to 8.1.30 or later
• —upgrade to 8.1.30 or later
• —upgrade to 8.1.30 or later
• —upgrade to 8.2.24-1~deb12u1 or later

Is CVE-2024-8926 being exploited?

Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• from 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• from 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• from 0, < 8.2.24-1~deb12u1

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-8926
• WEBgithub.com/advisories/GHSA-vxpp-6299-mxw3
• WEBgithub.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq
• WEBnvd.nist.gov/vuln/detail/CVE-2024-8926
• WEB