In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
The ldap_escape() function does not properly control the length of input strings passed to it on 32-bit systems. When an attacker supplies a sufficiently long string, an integer variable overflow occurs (CWE-190), resulting in incorrect buffer size calculation. Consequently, data is written outside the allocated memory area (CWE-787, out-of-bounds write), which can lead to heap or stack corruption of the process.
An attacker can remotely, without authentication, trigger arbitrary code execution (RCE), disclosure of sensitive data, or denial of service (application crash). The complete CIA triad is compromised, confirming the maximum CVSS score for C/I/A components.
PHP should be updated to version 8.1.31, 8.2.26, or 8.3.14 (depending on the branch in use). Patches are also available for Debian distributions (debian-lts-announce message from December 2024). Until an update is applied, consider limiting the length of input data passed to ldap_escape() at the application level or filtering it before processing.
PHP versions 8.1.x before 8.1.31, 8.2.x before 8.2.26, and 8.3.x before 8.3.14, running on 32-bit systems and using the ldap_escape() function.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPHP
APPPhp8.1.0 – 8.1.31 (bez)8.2.0 – 8.2.26 (bez)8.3.0 – 8.3.14 (bez)
Related vulnerabilities
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi)...
Use-after-free w rozszerzeniu SOAP PHP umożliwiające RCE
PHP use-after-free przez __set lub ??= z wyjątkami — RCE
PHP PDO SQLite — błędne cytowanie ciągów prowadzące do SQL injection