ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.
{ "vanir_signatures": [ { "digest": { "length": 17379.0, "function_hash": "197201877932423095753011497744349995199" }, "target": { "function": "php_var_unserialize", "file": "ext/standard/var_unserializer.c" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2016-7411-4e3db367", "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43", "deprecated": false }, { "digest": { "line_hashes": [ "55005567468369368611164292450108655693", "246272479898581294141415195713097288047", "34485600507217702948409028682773263832", "278547630791718218670873286455277713422", "222456299962666884299276629321257473395", "35291727437046760115314802880980306756", "287067800058502421881414060793509803309", "101784501276207766053882859089922867928", "253939511003497259484369218287725169133", "28854856498294819377545712021783898922", "161166060838058096464842347185669553186", "181474367725330236228627936428828780565", "113005512450879757736920393970994251271", "241505157048853268832102262950265781146", "3594293359148188515499023312328676559", "317880390176243499692135436385246080583", "193970513563683429955243105150124714990", "151525721448960007540581829422163253235", "131619494778740792699116875231065282177", "97078834316856778775959232843576759181", "39647817218741847542493274976240534278", "53399692971528912546978676753717806626", "50321455944084839922867595985294632014", "76363062086928298842568899046488648244", "121310170061323753236667896826891593092", "128955705140024659375197012355314907405", "289759661604433454892482221109081143288", "77796733071524313036015902594018077902", "211886261311299517599288686036131535765", "257905796037664936509332609224677800107", "294719735237860765637398476327416445721", "30186544984719627458477278072339516591", "305441068158222162468294533060927179439", "151559251473969236755467963490763668964", "206609771344544808170079111675682436404", "211515191059197277653918413978053682008", "95443189681889067216406488785871226590", "308046673847943158751923679736638257672", "218859814643344679439682269398062972195", "277291754795743228726504095839603148340", "194262397844047861045831855113705642502", "290024242022507585635296317920801467716", "311167309118150055281572606216470766031", "330413520066767310680612636428544264413", "230474108440533835333684094958823056084", "311257223181405248642002688951091133607", "24144217229067952620893299293690797341", "329321316663444951586907489049270244205", "136648458098552707076569962137057554508", "82760673428223954557907961665546461370", "231215910029773123735548606864243223410", "155839203016380286836257821256683757584", "176629366749378689263014647448583282832", "53266342243385612284074029149335532682", "23694691058495523090077191577542601144", "150274809359088780602000372262436512070", "12487622487621764019102559827094360717", "47781428044270170749059019373248861671", "54273705678320978012838035296399311828", "179794101545447039629168546290399163481", "249475901685196263829271550987507219396", "317605472097912216777276923192795288090", "24579401128674852397992670066738973964", "1854016455055092506071419626528115352", "134168355472264967570266788995525914741", "263222419994646199297841877693260588443", "320231330622748172812437813276035096047", "255725133322402644474336621799037170610", "269359942060036654764862195073508939172", "297964171743260663501010808886629588488", "337636376025793233532488051128922728120", "145284742622917905257553948364815146187", "210472830864426651601698575483131339672", "275915474511306188687583608935975887020", "243961518786470081839207540806906918506", "285299313028876497852273669209173833", "187734228061571723413972040309685766688", "243258424090245420339006281115630598526", "308504603051266190607283646063077786272", "122826297022855562295195540654569735301", "332176875234483346258249651027821994726", "251345270070948803649407850518045144912", "141690066428905485990073034514404723267", "240889254644274709379433592536123696023", "119958680353381827621805632412498437634", "50518464435721013707919341030016996650", "56253076259826668724418967402968895253", "53379192866757622336511509513884239024", "150696814693602207726377780430234084224", "133442979430562036665962443127864315173", "90400745467137888392261426847917185848", "111664045586250202426077714417272175202", "52745000606477910756160017957810204591", "51388981653003571918957703208683824275", "220842215606896123331208628535140840845", "213130249033199032046794315182446528821", "198848032088164164842610262148194913184", "217234025122291971479387091720116050043", "48321505421424209326462008918037663437", "310674237259908621624993214360276582444", "47688906624705284611146428620712817051", "313570138683617402028941989883696069615", "325169024165300323148198388953566181754", "322407698099982339444906360000862459888", "15870367119770213525165174176275302103", "19315970461890823688547745879354936582", "83957370982233078642358265407006918363", "5054797208326398475430903325449572218", "89200285419740357544164914365775158142", "165533313376618712400587195006111190580", "195106869869900706566048242934186007141", "313665715046923223985413781374347826368", "67359400705853892981826238089652335934", "133568321140615378063136281284471376761", "179959986549877895638117203607717438681", "52517111705528323124995868428434206605", "324631387007369028660060934811745335097", "68632674874864205532735732825981601566", "114252392422215708369766956664663245574", "217700298932011312419715712097098716932", "128137643549413381108879600176764217678", "308838117747157307222935522133103533577", "463303861336674666643253306916977490", "185634801050596730427157755406483480165", "324221861419028180721437023182991746805" ], "threshold": 0.9 }, "target": { "file": "ext/standard/var_unserializer.c" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2016-7411-dbd32cdf", "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43", "deprecated": false }, { "digest": { "length": 897.0, "function_hash": "150567426693144971353226408083285206335" }, "target": { "function": "object_common2", "file": "ext/standard/var_unserializer.c" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2016-7411-de0ce1d8", "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43", "deprecated": false }, { "digest": { "line_hashes": [ "128864551113351862900506164399088993545", "19298251420475046602189816513773744015", "4484577886989682523671866163858172222", "236040157415594621944818356707533437887", "104717128424993184406260918563436280355", "127821859003941900418467277861989027831", "25057723501374932745851002821459632518" ], "threshold": 0.9 }, "target": { "file": "Zend/zend_objects_API.c" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2016-7411-df346122", "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43", "deprecated": false } ] }