CVE-2016-7134

Source
https://cve.org/CVERecord?id=CVE-2016-7134
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7134.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-7134
Downstream
Related
Published
2016-09-12T01:59:12.803Z
Modified
2026-07-08T10:53:37.283360Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overflow) or possibly have unspecified other impact via a long string that is mishandled in a curl_escape call.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "7.0.0"
        },
        {
            "last_affected": "7.0.0"
        },
        {
            "introduced": "7.0.1"
        },
        {
            "last_affected": "7.0.1"
        },
        {
            "introduced": "7.0.2"
        },
        {
            "last_affected": "7.0.2"
        },
        {
            "introduced": "7.0.3"
        },
        {
            "last_affected": "7.0.3"
        },
        {
            "introduced": "7.0.4"
        },
        {
            "last_affected": "7.0.4"
        },
        {
            "introduced": "7.0.5"
        },
        {
            "last_affected": "7.0.5"
        },
        {
            "introduced": "7.0.6"
        },
        {
            "last_affected": "7.0.6"
        },
        {
            "introduced": "7.0.7"
        },
        {
            "last_affected": "7.0.7"
        },
        {
            "introduced": "7.0.8"
        },
        {
            "last_affected": "7.0.8"
        },
        {
            "introduced": "7.0.9"
        },
        {
            "last_affected": "7.0.9"
        }
    ],
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.0.8
7.0.9

Database specific

vanir_signatures
[
    {
        "digest": {
            "function_hash": "227528518145986743866062786954349080389",
            "length": 485.0
        },
        "target": {
            "function": "PHP_FUNCTION",
            "file": "ext/curl/interface.c"
        },
        "id": "CVE-2016-7134-963245d6",
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "184380690513653864814768737943733668699",
            "length": 419.0
        },
        "target": {
            "function": "PHP_FUNCTION",
            "file": "ext/curl/interface.c"
        },
        "id": "CVE-2016-7134-b420cec9",
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7",
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "335787309558971530386158521091974235944",
                "59168245641041532536797173049677161686",
                "170355232463213619986421451949240296569",
                "323272686444899214637338609833576987879",
                "230973073276262990912696048641882976157",
                "298474625450453199991691042508450365921",
                "46581261744944443022068226888566926896",
                "182149807505015830507255396834038439832",
                "187567355692959817030279297524340235862",
                "329201391369088865734968587245595121480",
                "215314933792689006791172564644187737241"
            ]
        },
        "target": {
            "file": "ext/curl/interface.c"
        },
        "id": "CVE-2016-7134-b78da87e",
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7",
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7134.json"
vanir_signatures_modified
"2026-07-08T10:53:37Z"