CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-11236

CVSS 9.8v3.1pub. 2024-11-24upd. 2025-11-03

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

🤖 AI Analysis
How it works

The ldap_escape() function does not properly control the length of input strings passed to it on 32-bit systems. When an attacker supplies a sufficiently long string, an integer variable overflow occurs (CWE-190), resulting in incorrect buffer size calculation. Consequently, data is written outside the allocated memory area (CWE-787, out-of-bounds write), which can lead to heap or stack corruption of the process.

Impact

An attacker can remotely, without authentication, trigger arbitrary code execution (RCE), disclosure of sensitive data, or denial of service (application crash). The complete CIA triad is compromised, confirming the maximum CVSS score for C/I/A components.

Mitigation & patch

PHP should be updated to version 8.1.31, 8.2.26, or 8.3.14 (depending on the branch in use). Patches are also available for Debian distributions (debian-lts-announce message from December 2024). Until an update is applied, consider limiting the length of input data passed to ldap_escape() at the application level or filtering it before processing.

Who is affected

PHP versions 8.1.x before 8.1.31, 8.2.x before 8.2.26, and 8.3.x before 8.3.14, running on 32-bit systems and using the ldap_escape() function.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • PHP

    APP
    Php
    8.1.0 – 8.1.31 (bez)8.2.0 – 8.2.26 (bez)8.3.0 – 8.3.14 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2012-1823CRITICAL9.8⚠ KEVten sam produkt

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi)...

CVE-2026-6722CRITICAL9.5PL ✓ten sam produkt

Use-after-free w rozszerzeniu SOAP PHP umożliwiające RCE

CVE-2024-11235CRITICAL9.2PL ✓ten sam produkt

PHP use-after-free przez __set lub ??= z wyjątkami — RCE

CVE-2022-31631CRITICAL9.1PL ✓ten sam produkt

PHP PDO SQLite — błędne cytowanie ciągów prowadzące do SQL injection