cbcvebase.
CVE-2018-10546
published 2018-04-29

CVE-2018-10546: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c…

PriorityP343high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
10.56%
95.2th percentile
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
phpphp< 5.6.365.6.36
phpphp>= 7.0.0 < 7.0.307.0.30
phpphp>= 7.1.0 < 7.1.177.1.17
phpphp>= 7.2.0 < 7.2.57.2.5
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.255.5.9+dfsg-1ubuntu4.25

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via the iconv stream filter using the 'convert.iconv' filter on invalid multibyte sequences, causing an infinite loop in ext/iconv/iconv.c — monitor for PHP processes hanging or consuming excessive CPU when processing stream filters.
  • Attack vector is remote — a remote attacker sending invalid multibyte sequences through a PHP application using the iconv stream filter can cause a denial of service by hanging the PHP process.
  • The upstream patch commit can be used to identify the exact code change and derive file-integrity or behavioral detections: https://git.php.net/?p=php-src.git;a=commit;h=06d309fd7a917575d65c7a6f4f57b0e6bb0f9711
  • ·Red Hat notes that RHEL 5, 6, and 7 ship vulnerable code but the linked test case (using php://memory stream) could not be reproduced; other trigger paths may still exist.
  • ·Affected PHP versions are before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5; PHP 8 on RHEL is listed as not affected.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu4.7MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.