CVE-2016-4538

Source
https://cve.org/CVERecord?id=CVE-2016-4538
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4538.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-4538
Downstream
Related
Published
2016-05-22T01:59:22.933Z
Modified
2026-07-08T05:48:58.128716056Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the zero, one, or two global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "24"
                },
                {
                    "last_affected": "24"
                }
            ],
            "vendor_product": "fedoraproject:fedora",
            "source": "CPE_STRING"
        },
        {
            "cpes": [
                "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "opensuse:leap",
            "extracted_events": [
                {
                    "introduced": "42.1"
                },
                {
                    "last_affected": "42.1"
                }
            ],
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
Last affected
Database specific
{
    "cpe": [
        "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.5:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.6:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.9:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.10:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.11:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.12:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.13:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.14:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.15:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.16:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.17:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.18:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.19:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:5.6.20:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.5.33"
        },
        {
            "introduced": "5.6.0"
        },
        {
            "last_affected": "5.6.0"
        },
        {
            "introduced": "5.6.1"
        },
        {
            "last_affected": "5.6.1"
        },
        {
            "introduced": "5.6.2"
        },
        {
            "last_affected": "5.6.2"
        },
        {
            "introduced": "5.6.3"
        },
        {
            "last_affected": "5.6.3"
        },
        {
            "introduced": "5.6.4"
        },
        {
            "last_affected": "5.6.4"
        },
        {
            "introduced": "5.6.5"
        },
        {
            "last_affected": "5.6.5"
        },
        {
            "introduced": "5.6.6"
        },
        {
            "last_affected": "5.6.6"
        },
        {
            "introduced": "5.6.7"
        },
        {
            "last_affected": "5.6.7"
        },
        {
            "introduced": "5.6.8"
        },
        {
            "last_affected": "5.6.8"
        },
        {
            "introduced": "5.6.9"
        },
        {
            "last_affected": "5.6.9"
        },
        {
            "introduced": "5.6.10"
        },
        {
            "last_affected": "5.6.10"
        },
        {
            "introduced": "5.6.11"
        },
        {
            "last_affected": "5.6.11"
        },
        {
            "introduced": "5.6.12"
        },
        {
            "last_affected": "5.6.12"
        },
        {
            "introduced": "5.6.13"
        },
        {
            "last_affected": "5.6.13"
        },
        {
            "introduced": "5.6.14"
        },
        {
            "last_affected": "5.6.14"
        },
        {
            "introduced": "5.6.15"
        },
        {
            "last_affected": "5.6.15"
        },
        {
            "introduced": "5.6.16"
        },
        {
            "last_affected": "5.6.16"
        },
        {
            "introduced": "5.6.17"
        },
        {
            "last_affected": "5.6.17"
        },
        {
            "introduced": "5.6.18"
        },
        {
            "last_affected": "5.6.18"
        },
        {
            "introduced": "5.6.19"
        },
        {
            "last_affected": "5.6.19"
        },
        {
            "introduced": "5.6.20"
        },
        {
            "last_affected": "5.6.20"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "last_affected": "7.0.0"
        },
        {
            "introduced": "7.0.1"
        },
        {
            "last_affected": "7.0.1"
        },
        {
            "introduced": "7.0.2"
        },
        {
            "last_affected": "7.0.2"
        },
        {
            "introduced": "7.0.3"
        },
        {
            "last_affected": "7.0.3"
        },
        {
            "introduced": "7.0.4"
        },
        {
            "last_affected": "7.0.4"
        },
        {
            "introduced": "7.0.5"
        },
        {
            "last_affected": "7.0.5"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

5.*
5.6.0
5.6.1
5.6.10
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.6.18
5.6.19
5.6.2
5.6.20
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-5.*
php-5.5.33
php-7.*
php-7.0.5
php-7.0.5RC1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4538.json"