CVE-2022-31627

CWE-590 CWE-787 — Out-of-bounds Write CWE-119 — Buffer Overflow8 documents8 sources

Severity

9.8CRITICAL

EPSS

0.2%

top 60.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedJul 28

Latest updateJul 29

Description

In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 2.2 | Impact: 5.5

Affected Packages3 packages

▶NVDphp/php8.1.0 — 8.1.8

▶CVEListV5php_group/php8.1.X — 8.1.8

▶Ubuntuphp8.1< 8.1.2-1ubuntu2.2

Patches

Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-2c24-m9rj-gq8m: In PHP versions 8↗2022-07-29

▶

CVEList

Heap buffer overflow in finfo_buffer↗2022-07-28

▶

OSV

CVE-2022-31627: In PHP versions 8↗2022-07-15

▶

📋Vendor Advisories

Ubuntu

PHP vulnerability↗2022-07-25

▶

Microsoft

Heap buffer overflow in finfo_buffer↗2022-07-12

▶

Red Hat

php: heap buffer overflow in finfo_buffer↗2022-07-08

▶

Debian

CVE-2022-31627: php7.4 - In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer...↗2022

▶