cbcvebase.
CVE-2021-21708
published 2022-02-27

CVE-2021-21708: In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max…

PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.00%
85.7th percentile
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianphp7.4< php7.4 7.4.28-1+deb11u1 (bullseye)php7.4 7.4.28-1+deb11u1 (bullseye)
msrccbl2_php_on_cbl_mariner_2.0
paloaltopan-os
phpphp>= 7.4.0 < 7.4.287.4.28
phpphp>= 8.0.0 < 8.0.168.0.16
phpphp>= 8.1.0 < 8.1.38.1.3
php_groupphp>= 7.4.x < 7.4.287.4.28
php_groupphp>= 8.0.X < 8.0.168.0.16
php_groupphp>= 8.1.X < 8.1.38.1.3

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_oracle9.8HIGH
vendor_debian8.2HIGH
vendor_msrc8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.