CVE-2024-11235 - Vulnerability Details

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Php	Php
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
php-0:8.3.19-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:7489	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 9
php:8.3-9060020250409105946.9	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:7418	2025-05-13T00:00:00Z

References

Link	Providers
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477
https://nvd.nist.gov/vuln/detail/CVE-2024-11235
https://www.cve.org/CVERecord?id=CVE-2024-11235

History

Wed, 14 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products		Redhat Redhat enterprise Linux

Wed, 30 Apr 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php Php php
CPEs		cpe:2.3:a:php:php::::::::
Vendors & Products		Php Php php
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 07 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-11235 https://www.cve.org/CVERecord?id=CVE-2024-11235
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` threat_severity `Important`

Fri, 04 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 04 Apr 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description		In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
Title		Reference counting in php_request_shutdown causes Use-After-Free
Weaknesses		CWE-416
References		https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: php

Published: 2025-04-04T17:51:07.550Z

Updated: 2025-04-05T03:55:36.686Z

Reserved: 2024-11-15T06:26:33.249Z

Link: CVE-2024-11235

Vulnrichment

Updated: 2025-04-04T19:50:12.693Z

NVD

Status : Analyzed

Published: 2025-04-04T18:15:48.020

Modified: 2025-04-30T19:25:17.507

Link: CVE-2024-11235

Redhat

Severity : Important

Publid Date: 2025-04-04T17:51:07Z

Links: CVE-2024-11235 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11235", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-11-15T06:26:33.249Z", "datePublished": "2025-04-04T17:51:07.550Z", "dateUpdated": "2025-04-05T03:55:36.686Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.4.5", "status": "affected", "version": "8.4.*", "versionType": "semver"}, {"lessThan": "8.3.19", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Junwha Hong"}], "datePublic": "2025-03-13T17:44:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or <span style=\"background-color: rgba(129, 139, 152, 0.12);\">??=  </span>operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. "}], "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=\u00a0\u00a0operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2025-04-04T17:55:56.918Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc", "discovery": "EXTERNAL"}, "title": "Reference counting in php_request_shutdown causes Use-After-Free", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-04T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-11235"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-05T03:55:36.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11235", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-04T19:50:02.295566Z"}}}], "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-04T19:50:12.693Z"}}], "cna": {"title": "Reference counting in php_request_shutdown causes Use-After-Free", "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Junwha Hong"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.4.*", "lessThan": "8.4.5", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2025-03-13T17:44:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=\u00a0\u00a0operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.", "supportingMedia": [{"type": "text/html", "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or <span style=\"background-color: rgba(129, 139, 152, 0.12);\">??=  </span>operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2025-04-04T17:55:56.918Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11235", "state": "PUBLISHED", "dateUpdated": "2025-04-05T03:55:36.686Z", "dateReserved": "2024-11-15T06:26:33.249Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2025-04-04T17:51:07.550Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A525415D-4C9F-4884-9F85-94989608D805", "versionEndExcluding": "8.3.19", "versionStartIncluding": "8.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC94B1EC-530A-4A25-9BCD-DAC5F52F6813", "versionEndExcluding": "8.4.5", "versionStartIncluding": "8.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=\u00a0\u00a0operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution."}, {"lang": "es", "value": "En las versiones de PHP 8.3.* anteriores a la 8.3.19 y 8.4.* anteriores a la 8.4.5, una secuencia de c\u00f3digo que incluya el controlador __set o el controlador ??= y excepciones puede generar una vulnerabilidad de use-after-free. Si un tercero puede controlar la distribuci\u00f3n de memoria que provoca esto, por ejemplo, proporcionando entradas especialmente manipuladas al script, podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2024-11235", "lastModified": "2025-04-30T19:25:17.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@php.net", "type": "Secondary"}]}, "published": "2025-04-04T18:15:48.020", "references": [{"source": "security@php.net", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security@php.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7489", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "php-0:8.3.19-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7418", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.3-9060020250409105946.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "php: Reference counting in php_request_shutdown causes Use-After-Free", "id": "2357531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2357531"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=\u00a0\u00a0operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.", "A flaw was found in PHP. This vulnerability allows remote code execution via a crafted code path involving the __set magic method or the null coalescing assignment (??=) operator, in combination with exception handling. Attackers can trigger a use-after-free condition by controlling the memory layout through specially crafted inputs."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-11235", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-04T17:51:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-11235\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11235\nhttps://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"], "statement": "This vulnerability marked as Important instead of Moderate because it leads to a use-after-free condition, allowing attackers to exploit PHP\u2019s memory management for remote code execution. Unlike moderate flaws that might cause limited disruption, this issue arises from a dangerous interaction between the `__set` method or the `??=` operator and exceptions, leading to freed memory being accessed unpredictably. If an attacker can control the memory layout through crafted inputs, they can hijack execution flow, making this a severe risk in real-world PHP applications.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object