CVE-2019-11046

Summary

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP7.2.x < 7.2.26affected
PHP GroupPHP7.3.x < 7.3.13affected
PHP GroupPHP7.4.x < 7.4.1affected

Weaknesses

  • CWE-125: CWE-125 Out-of-bounds Read

ADP Enrichment

CVE Program Container

Additional References

References