CVE-2020-7065

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
References
Link Resource
https://bugs.php.net/bug.php?id=79371 Exploit Issue Tracking Patch Vendor Advisory
https://security.netapp.com/advisory/ntap-20200403-0001/ Third Party Advisory
https://usn.ubuntu.com/4330-1/ Third Party Advisory
https://usn.ubuntu.com/4330-2/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4719 Third Party Advisory
https://www.php.net/ChangeLog-7.php#7.4.4 Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Information

Published : 2020-04-01 04:15

Updated : 2021-07-22 18:15


NVD link : CVE-2020-7065

Mitre link : CVE-2020-7065


JSON object : View

Products Affected

debian

  • debian_linux

php

  • php

canonical

  • ubuntu_linux
CWE
CWE-787

Out-of-bounds Write