Fluid Attacks Database

Description

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	php8.4	>=0 <8.4.5-1	8.4.5-1
debian 14	php8.4	>=0 <8.4.5-1	8.4.5-1
rpm rhel10	php	<0:8.3.19-1.el10_0	0:8.3.19-1.el10_0
rpm rhel6	php	-	-
rpm rhel7	php	-	-
rpm rhel9	php	<0:8.3.19-1.module+el9.6.0+23015+da8065b7	0:8.3.19-1.module+el9.6.0+23015+da8065b7

Aliases

1. CVE-2024-112352. NVD-2024-112353. OSV-DEBIAN-2024-112354. OSV-2024-112355. SECURITY-TRACKER-CVE-2024-11235

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.