In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LPHP
APPPhp8.1.0 – 8.1.8 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Related vulnerabilities
CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
CVE-2012-1823CRITICAL9.8⚠ KEVten sam produkt
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi)...
CVE-2026-6722CRITICAL9.5PL ✓ten sam produkt
Use-after-free w rozszerzeniu SOAP PHP umożliwiające RCE
CVE-2024-11235CRITICAL9.2PL ✓ten sam produkt
PHP use-after-free przez __set lub ??= z wyjątkami — RCE
CVE-2022-31631CRITICAL9.1PL ✓ten sam produkt
PHP PDO SQLite — błędne cytowanie ciągów prowadzące do SQL injection