Описание
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
A flaw was found in PHP. A heap-based buffer overflow occurs in the array_merge function when the total element count of packed arrays exceeds the 32-bit limit or the internal HT_MAX_SIZE due to an integer overflow in the precomputation of element counts using the zend_hash_num_elements function, causing a process crash and potentially memory corruption.
Отчет
To exploit this issue, an attacker must be able to pass arrays to array_merge() containing a very large number of elements, specifically the total element count must exceed the 32-bit integer limit or the internal HT_MAX_SIZE constant. Creating such a massive array often triggers the memory limit of PHP and the system, causing an out-of-memory condition before the buffer overflow can be triggered, increasing the complexity of exploitation. Also, default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and memory protections significantly increase the difficult of achieving arbitrary code execution, limiting the impact of this vulnerability. Due to these reasons, this flaw has been rated with a moderate severity.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | php8.4 | Not affected | ||
| Red Hat Enterprise Linux 6 | php | Not affected | ||
| Red Hat Enterprise Linux 7 | php | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/code-rhel9 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces-tech-preview/idea-rhel9 | Not affected | ||
| Red Hat Enterprise Linux 10 | php | Fixed | RHSA-2026:1628 | 02.02.2026 |
| Red Hat Enterprise Linux 10.0 Extended Update Support | php | Fixed | RHSA-2026:1185 | 26.01.2026 |
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2026:1412 | 27.01.2026 |
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2026:2470 | 10.02.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before ...
EPSS
6.5 Medium
CVSS3