Описание
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
A flaw was found in PHP. The getimagesize() function may leak uninitialized heap memory when processing images in multi-chunk mode, such as through php://filter. This vulnerability, caused by a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, allows an attacker to potentially disclose sensitive information from the server's memory. This could compromise the confidentiality of data on the affected server.
Отчет
This vulnerability is rated Low for Red Hat. The flaw in PHP's getimagesize() function can lead to information disclosure by leaking uninitialized heap memory when processing multi-chunk images, potentially via php://filter. This affects the confidentiality of data on systems running affected PHP versions in Red Hat Enterprise Linux 8 (php:8.2/php), Red Hat Enterprise Linux 9 (php, php:8.2/php, php:8.3/php), and Red Hat Enterprise Linux 10 (php, php8.4). The PHP 7 streams for Red Hat Enterprise Linux 7 and 8 are not affected by this vulnerability as the way it reads and stores image metadata is implemented differently than how it's on affected PHP 8 versions.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | php8.4 | Fix deferred | ||
| Red Hat Enterprise Linux 6 | php | Out of support scope | ||
| Red Hat Enterprise Linux 7 | php | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift Dev Spaces | devspaces/code-rhel9 | Fix deferred | ||
| Red Hat OpenShift Dev Spaces | devspaces-tech-preview/idea-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux 10 | php | Fixed | RHSA-2026:1628 | 02.02.2026 |
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2026:1412 | 27.01.2026 |
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2026:2470 | 10.02.2026 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2026:1409 | 27.01.2026 |
Показывать по
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before ...
3.7 Low
CVSS3