Описание
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | not-affected | 8.4+ only |
| jammy | DNE | |
| noble | DNE | |
| questing | DNE | |
| resolute | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/xenial | not-affected | 8.4+ only |
| esm-infra/xenial | ignored | end of ESM support, was needs-triage |
| jammy | DNE | |
| noble | DNE | |
| questing | DNE | |
| resolute | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/bionic | not-affected | 8.4+ only |
| jammy | DNE | |
| noble | DNE | |
| questing | DNE | |
| resolute | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/focal | not-affected | 8.4+ only |
| jammy | DNE | |
| noble | DNE | |
| questing | DNE | |
| resolute | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| jammy | not-affected | 8.4+ only |
| noble | DNE | |
| questing | DNE | |
| resolute | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| jammy | DNE | |
| noble | not-affected | 8.4+ only |
| questing | DNE | |
| resolute | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| jammy | DNE | |
| noble | DNE | |
| questing | released | 8.4.11-1ubuntu1.2 |
| resolute | DNE | |
| upstream | released | 8.4.21 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | pending | 8.5.4-0ubuntu2 |
| jammy | DNE | |
| noble | DNE | |
| questing | DNE | |
| resolute | released | 8.5.4-0ubuntu1.1 |
| upstream | released | 8.5.6 |
Показывать по
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an en ...
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
EPSS
9.1 Critical
CVSS3