CVE-2019-9020 — Out-of-bounds Read in PHP

CWE-125 — Out-of-bounds Read CWE-416 — Use After Free CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents7 sources

Severity

9.8CRITICALNVD

EPSS

2.4%

top 14.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Php5 Canonical Ubuntu Linux +2 more

Timeline

PublishedFeb 22

Latest updateJan 27

Description

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDphp/php7.0.0 — 7.1.26+3

▶Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.27

▶NVDopensuse/leap42.3

Also affects: Debian Linux 9.0, Ubuntu Linux 12.04, 14.04, 16.04

Patches

Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-48fv-2rrr-rrph: An issue was discovered in PHP before 5↗2022-05-14

▶

OSV

php5, php7.0 vulnerabilities↗2019-03-06

▶

OSV

CVE-2019-9020: An issue was discovered in PHP before 5↗2019-02-22

▶

📋Vendor Advisories

CISA ICS

Festo Didactic SE MES PC↗2026-01-27

▶

Ubuntu

PHP vulnerabilities↗2019-03-12

▶

Ubuntu

PHP vulnerabilities↗2019-03-06

▶

Red Hat

php: Invalid memory access in function xmlrpc_decode()↗2018-12-05

▶

💬Community

Bugzilla

CVE-2019-9020 php: Invalid memory access in function xmlrpc_decode()↗2019-03-04

▶