cbcvebase.
CVE-2015-8617
published 2016-01-19

CVE-2015-8617: Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.87%
97.5th percentile
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpphp

Detection & IOCsextracted from sources · hover to see the quote

pathZend/zend_execute_API.c
urlhttps://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e
versionPHP 7.0.0
  • The vulnerability is triggered by passing format string specifiers (e.g., %n, %s, %x) as a class name in PHP 7.0.0. Monitor PHP error logs or application input for class name strings containing printf-style format specifiers.
  • The vulnerable code path is in zend_throw_or_error() in Zend/zend_execute_API.c. The fix changes `zend_throw_error(exception_ce, message)` to `zend_throw_error(exception_ce, "%s", message)`. Verify patched PHP binaries contain this fix.
  • Only PHP 7.0.0 is affected; PHP versions prior to 7.x and PHP 7.0.1+ are not vulnerable. Confirm PHP version in use via `php --version` or server headers.
  • The crash occurs inside xbuf_format_converter() in main/spprintf.c when a %n format specifier is processed. Stack traces referencing this function during a PHP fatal error on class instantiation should be investigated.
  • ·Only PHP 7.0.0 is affected. All Red Hat Enterprise Linux packages (php on RHEL 5/6/7, php53, php54-php, php55-php, rh-php56-php) ship PHP versions prior to 7.x and are listed as Not Affected.
  • ·The vulnerability is limited to the ZEND_FETCH_CLASS_EXCEPTION code path within zend_throw_or_error; only class-not-found error handling in PHP 7.0.0 is exploitable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.