CVE-2021-21704 — Out-of-bounds Read in Group PHP

CWE-125 — Out-of-bounds Read CWE-190 — Integer Overflow or Wraparound CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer17 documents8 sources

Severity

5.9MEDIUMNVD

CNA5.0

EPSS

0.1%

top 64.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP

Timeline

PublishedOct 4

Latest updateMar 24

Description

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDphp/php7.3.0 — 7.3.29+2

▶CVEListV5php_group/php7.3.x — 7.3.29+2

Patches

Patch: bugs.php.net ↗Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

OSV

linux-azure, linux-azure-4.15 vulnerabilities↗2026-03-24

▶

OSV

linux-azure vulnerabilities↗2026-03-24

▶

OSV

linux-azure-fips vulnerabilities↗2026-03-24

▶

OSV

linux-aws-fips, linux-fips, linux-gcp-fips vulnerabilities↗2026-03-20

▶

OSV

linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities↗2026-03-20

▶

📋Vendor Advisories

Microsoft

Multiple vulnerabilities in Firebird client extension↗2021-10-12

▶

Ubuntu

PHP vulnerabilities↗2021-07-13

▶

Ubuntu

PHP vulnerabilities↗2021-07-07

▶

Red Hat

php: security issues in pdo_firebase module↗2021-07-01

▶

Debian

CVE-2021-21704: php7.4 - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, wh...↗2021

▶