CVE-2016-7411

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-7411
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7411.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-7411
Downstream
Related
Published
2016-09-17T21:59:02Z
Modified
2025-10-14T15:52:11.779666Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43

Affected versions

Other

NEWS
NEWS-cvs2svn

php-5.*

php-5.3.23RC1
php-5.3.29
php-5.3.29RC1
php-5.4.30RC1
php-5.4.32RC1
php-5.4.4RC2
php-5.5.24RC1
php-5.6.18RC1
php-5.6.19RC1
php-5.6.22RC1
php-5.6.23RC1
php-5.6.24RC1

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 17379.0,
                "function_hash": "197201877932423095753011497744349995199"
            },
            "target": {
                "function": "php_var_unserialize",
                "file": "ext/standard/var_unserializer.c"
            },
            "signature_type": "Function",
            "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2016-7411-4e3db367"
        },
        {
            "digest": {
                "line_hashes": [
                    "55005567468369368611164292450108655693",
                    "246272479898581294141415195713097288047",
                    "34485600507217702948409028682773263832",
                    "278547630791718218670873286455277713422",
                    "222456299962666884299276629321257473395",
                    "35291727437046760115314802880980306756",
                    "287067800058502421881414060793509803309",
                    "101784501276207766053882859089922867928",
                    "253939511003497259484369218287725169133",
                    "28854856498294819377545712021783898922",
                    "161166060838058096464842347185669553186",
                    "181474367725330236228627936428828780565",
                    "113005512450879757736920393970994251271",
                    "241505157048853268832102262950265781146",
                    "3594293359148188515499023312328676559",
                    "317880390176243499692135436385246080583",
                    "193970513563683429955243105150124714990",
                    "151525721448960007540581829422163253235",
                    "131619494778740792699116875231065282177",
                    "97078834316856778775959232843576759181",
                    "39647817218741847542493274976240534278",
                    "53399692971528912546978676753717806626",
                    "50321455944084839922867595985294632014",
                    "76363062086928298842568899046488648244",
                    "121310170061323753236667896826891593092",
                    "128955705140024659375197012355314907405",
                    "289759661604433454892482221109081143288",
                    "77796733071524313036015902594018077902",
                    "211886261311299517599288686036131535765",
                    "257905796037664936509332609224677800107",
                    "294719735237860765637398476327416445721",
                    "30186544984719627458477278072339516591",
                    "305441068158222162468294533060927179439",
                    "151559251473969236755467963490763668964",
                    "206609771344544808170079111675682436404",
                    "211515191059197277653918413978053682008",
                    "95443189681889067216406488785871226590",
                    "308046673847943158751923679736638257672",
                    "218859814643344679439682269398062972195",
                    "277291754795743228726504095839603148340",
                    "194262397844047861045831855113705642502",
                    "290024242022507585635296317920801467716",
                    "311167309118150055281572606216470766031",
                    "330413520066767310680612636428544264413",
                    "230474108440533835333684094958823056084",
                    "311257223181405248642002688951091133607",
                    "24144217229067952620893299293690797341",
                    "329321316663444951586907489049270244205",
                    "136648458098552707076569962137057554508",
                    "82760673428223954557907961665546461370",
                    "231215910029773123735548606864243223410",
                    "155839203016380286836257821256683757584",
                    "176629366749378689263014647448583282832",
                    "53266342243385612284074029149335532682",
                    "23694691058495523090077191577542601144",
                    "150274809359088780602000372262436512070",
                    "12487622487621764019102559827094360717",
                    "47781428044270170749059019373248861671",
                    "54273705678320978012838035296399311828",
                    "179794101545447039629168546290399163481",
                    "249475901685196263829271550987507219396",
                    "317605472097912216777276923192795288090",
                    "24579401128674852397992670066738973964",
                    "1854016455055092506071419626528115352",
                    "134168355472264967570266788995525914741",
                    "263222419994646199297841877693260588443",
                    "320231330622748172812437813276035096047",
                    "255725133322402644474336621799037170610",
                    "269359942060036654764862195073508939172",
                    "297964171743260663501010808886629588488",
                    "337636376025793233532488051128922728120",
                    "145284742622917905257553948364815146187",
                    "210472830864426651601698575483131339672",
                    "275915474511306188687583608935975887020",
                    "243961518786470081839207540806906918506",
                    "285299313028876497852273669209173833",
                    "187734228061571723413972040309685766688",
                    "243258424090245420339006281115630598526",
                    "308504603051266190607283646063077786272",
                    "122826297022855562295195540654569735301",
                    "332176875234483346258249651027821994726",
                    "251345270070948803649407850518045144912",
                    "141690066428905485990073034514404723267",
                    "240889254644274709379433592536123696023",
                    "119958680353381827621805632412498437634",
                    "50518464435721013707919341030016996650",
                    "56253076259826668724418967402968895253",
                    "53379192866757622336511509513884239024",
                    "150696814693602207726377780430234084224",
                    "133442979430562036665962443127864315173",
                    "90400745467137888392261426847917185848",
                    "111664045586250202426077714417272175202",
                    "52745000606477910756160017957810204591",
                    "51388981653003571918957703208683824275",
                    "220842215606896123331208628535140840845",
                    "213130249033199032046794315182446528821",
                    "198848032088164164842610262148194913184",
                    "217234025122291971479387091720116050043",
                    "48321505421424209326462008918037663437",
                    "310674237259908621624993214360276582444",
                    "47688906624705284611146428620712817051",
                    "313570138683617402028941989883696069615",
                    "325169024165300323148198388953566181754",
                    "322407698099982339444906360000862459888",
                    "15870367119770213525165174176275302103",
                    "19315970461890823688547745879354936582",
                    "83957370982233078642358265407006918363",
                    "5054797208326398475430903325449572218",
                    "89200285419740357544164914365775158142",
                    "165533313376618712400587195006111190580",
                    "195106869869900706566048242934186007141",
                    "313665715046923223985413781374347826368",
                    "67359400705853892981826238089652335934",
                    "133568321140615378063136281284471376761",
                    "179959986549877895638117203607717438681",
                    "52517111705528323124995868428434206605",
                    "324631387007369028660060934811745335097",
                    "68632674874864205532735732825981601566",
                    "114252392422215708369766956664663245574",
                    "217700298932011312419715712097098716932",
                    "128137643549413381108879600176764217678",
                    "308838117747157307222935522133103533577",
                    "463303861336674666643253306916977490",
                    "185634801050596730427157755406483480165",
                    "324221861419028180721437023182991746805"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "ext/standard/var_unserializer.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2016-7411-dbd32cdf"
        },
        {
            "digest": {
                "length": 897.0,
                "function_hash": "150567426693144971353226408083285206335"
            },
            "target": {
                "function": "object_common2",
                "file": "ext/standard/var_unserializer.c"
            },
            "signature_type": "Function",
            "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2016-7411-de0ce1d8"
        },
        {
            "digest": {
                "line_hashes": [
                    "128864551113351862900506164399088993545",
                    "19298251420475046602189816513773744015",
                    "4484577886989682523671866163858172222",
                    "236040157415594621944818356707533437887",
                    "104717128424993184406260918563436280355",
                    "127821859003941900418467277861989027831",
                    "25057723501374932745851002821459632518"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "Zend/zend_objects_API.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2016-7411-df346122"
        }
    ]
}