cbcvebase.
CVE-2016-7480
published 2017-01-11

CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
41.56%
98.5th percentile
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

Affected

2 ranges
VendorProductVersion rangeFixed in
phpphp>= 7.0.0 < 7.0.117.0.11
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.205.5.9+dfsg-1ubuntu4.20

Detection & IOCsextracted from sources · hover to see the quote

pathext/spl/spl_observer.c
urlhttps://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4
urlhttps://bugs.php.net/bug.php?id=73257
  • Trigger vector is crafted serialized data sent to SplObjectStorage::unserialize() where a key is not an object — monitor for deserialization of untrusted input reaching SplObjectStorage in PHP < 7.0.12
  • Flag use of PHP's unserialize() on untrusted/remote input, particularly when SplObjectStorage objects are involved; the vulnerability is in the unserialize implementation of SplObjectStorage
  • ·Affected PHP versions are before 7.0.12; Red Hat marked all affected packages (php on RHEL 5/6/7, php53, rh-php56-php, rh-php70-php, OpenShift Enterprise 2) as 'Will not fix', so patching via upstream PHP 7.0.12+ is the remediation path
  • ·The vulnerability is specifically in the SplObjectStorage unserialize path; PHP's unserialize() on untrusted data is broadly unsafe beyond this CVE due to object instantiation and autoloading side-effects

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.