CVE-2019-11044
published 2019-12-23CVE-2019-11044: In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
5.12%
91.3th percentile
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| php | php | — | — |
| php | php | 7.2.0 – 7.2.26 | — |
| php | php | 7.3.0 – 7.3.13 | — |
| php_group | php | >= 7.2.x < 7.2.26 | 7.2.26 |
| php_group | php | >= 7.3.x < 7.3.13 | 7.3.13 |
| php_group | php | >= 7.4.x < 7.4.1 | 7.4.1 |
| tenable | securitycenter | < 5.19.0 | 5.19.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c8cf-pj9v-fcr9: In PHP versions 7
ghsa_unreviewed·2022-05-24
CVE-2019-11044 [HIGH] GHSA-c8cf-pj9v-fcr9: In PHP versions 7
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Red Hat
php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
vendor_redhat·2019-11-23·CVSS 5.0
CVE-2019-11044 [MEDIUM] CWE-170 php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths.
Statement: This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 as the flaw only affects Windows builds. See CVE-2006-72
No detection rules found.
No public exploits indexed.
HackerOne
PHP link() silently truncates after a null byte on Windows
hackerone·2020-11-09·CVSS 3.7
CVE-2019-11044 [LOW] PHP link() silently truncates after a null byte on Windows
PHP link() silently truncates after a null byte on Windows
The bug submitted at: https://bugs.php.net/bug.php?id=78862
The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11044
The issue allow remote attackers to read or write arbitrary files via crafted input to an application that calls the vulnerable function. As demonstrated by a file\0.ext attack that bypasses an intended configuration in which users may read or write only files.
## Impact
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Bugzilla
CVE-2019-11044 php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
bugzilla·2020-01-08·CVSS 5.0
CVE-2019-11044 [MEDIUM] CVE-2019-11044 php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
CVE-2019-11044 php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Reference:
https://bugs.php.net/bug.php?id=78862
Discussion:
Upstream fix:
https://github.com/php/php-src/commit/0e6c0654ed06751ced134515f7629c40bd979d7f
---
This flaw is present in the file ext/standard/link_win32.c, which is compiled only on Windows builds.
Similar code is present in ext/standard/link.c and there was a similar flaw there in the past, named CV
https://bugs.php.net/bug.php?id=78862https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/https://security.netapp.com/advisory/ntap-20200103-0002/https://www.tenable.com/security/tns-2021-14https://bugs.php.net/bug.php?id=78862https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/https://security.netapp.com/advisory/ntap-20200103-0002/https://www.tenable.com/security/tns-2021-14
2019-12-23
Published