CVE-2016-7480

Summary

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

Affected Software

VendorProductVersion RangeStatus
n/aPHP before 7.0.12PHP before 7.0.12affected

Weaknesses

  • missing data-type validation

ADP Enrichment

CVE Program Container

Additional References

References