CVE-2019-11049 — Double Free in Group PHP

CWE-415 — Double Free CWE-416 — Use After Free5 documents5 sources

Severity

9.8CRITICALNVD

CNA6.5

EPSS

2.8%

top 13.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP Tenable Securitycenter PHP +2 more

Timeline

PublishedDec 23

Latest updateMay 24

Description

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5php_group/php7.3.x — 7.3.13+1

▶NVDtenable/securitycenter< 5.19.0

▶NVDphp/php7.3.0 — 7.3.13+1

Also affects: Debian Linux 10.0, Fedora 30, 31

Patches

Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-h3jj-5ghg-r32j: In PHP versions 7↗2022-05-24

▶

CVEList

mail() may release string with refcount==1 twice↗2019-12-23

▶

📋Vendor Advisories

Red Hat

php: double free when supplying custom headers to mail function↗2019-12-10

▶

💬Community

Bugzilla

CVE-2019-11049 php: double free when supplying custom headers to mail function↗2020-01-07

▶