CVE-2024-11235: Reference counting in php_request_shutdown causes Use-After-Free

9.2 CVSS

Description

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Classification

CVE ID: CVE-2024-11235

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.2

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber

Problem Types

CWE-416 Use After Free

Affected Products

Vendor: PHP Group

Product: PHP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.27% (probability of being exploited)

EPSS Percentile: 50.17% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-11235
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477

Timeline

2025-03-21 13:15:31 UTC
Tenable Plugins

Fedora 40 : php (2025-4e7e2c40e0)
2025-03-21 13:15:31 UTC
Tenable Plugins

Fedora 41 : php (2025-8d0acf5a57)
2025-03-25 12:00:48 UTC
Tenable Plugins

SUSE SLES15 Security Update : php8 (SUSE-SU-2025:0994-1)
2025-03-27 12:15:28 UTC
Tenable Plugins

SUSE SLES15 / openSUSE 15 Security Update : php7 (SUSE-SU-2025:1025-1)
2025-03-27 12:15:28 UTC
Tenable Plugins

SUSE SLES15 Security Update : php7 (SUSE-SU-2025:1026-1)
2025-04-01 10:15:30 UTC
Tenable Plugins

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : PHP vulnerabilities (USN-7400-1)
2025-04-04 18:40:10 UTC
CVE

Reference counting in php_request_shutdown causes Use-After-Free