Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-11235

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Published

2025-04-04T18:15:48.020

Last Modified

2025-04-30T19:25:17.507

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Secondary
CWE-416
Type: Primary
CWE-416

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	php	php	< 8.3.19	Yes
Application	php	php	< 8.4.5	Yes

References

https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477 Exploit, Vendor Advisory ([email protected])
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477 Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)