CVE-2018-10546 — Infinite Loop in PHP

CWE-835 — Infinite Loop8 documents6 sources

Severity

7.5HIGHNVD

OSV4.7

EPSS

64.9%

top 1.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Php5 Canonical Ubuntu Linux +1 more

Timeline

PublishedApr 29

Latest updateMay 13

Description

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDphp/php7.0.0 — 7.0.30+3

▶Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.25

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04

Patches

Patch: php.net ↗Patch: php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-2396-h4jp-vpjg: An issue was discovered in PHP before 5↗2022-05-13

▶

OSV

php5, php7.0, php7.1, php7.2 vulnerabilities↗2018-05-14

▶

OSV

CVE-2018-10546: An issue was discovered in PHP before 5↗2018-04-29

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2018-05-14

▶

Red Hat

php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service↗2018-04-26

▶

💬Community

Bugzilla

CVE-2018-10546 php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service↗2018-05-02

▶

Bugzilla

CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549 php: various flaws [fedora-all]↗2018-05-02

▶