#VU105639 Use-after-free in PHP - CVE-2024-11235

Cybersecurity Help s.r.o.

Published: 2025-03-12 | Updated: 2025-03-20

Vulnerability identifier: #VU105639

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-11235

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in the reference counter within php_request_shutdown function. A remote attacker can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 8.1.0 - 8.1.31, 8.2.0 - 8.2.27, 8.3.0 - 8.3.17, 8.4.1 - 8.4.4

External links
https://www.php.net/archive/2025.php#2025-03-13
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for php7

SUSE update for php8

openEuler 24.03 LTS update for php

openEuler 24.03 LTS SP1 update for php

cPanel EasyApache update for PHP

Multiple vulnerabilities in PHP

Fedora 40 update for php

Fedora 41 update for php