Rick Regan

**Name of the Vulnerable Software and Affected Versions** Java Runtime Environment (JRE) versions 6 Update 23 and earlier Java Runtime Environment (JRE) versions 5.0 Update 27 and earlier Java Runtime Environment (JRE) versions 1.4.2 29 and earlier **Description** The issue allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number. This is demonstrated using the string `2.2250738585072012e-308`. The `Double.parseDouble` method is the point of concern in this issue. **Recommendations** For Java Runtime Environment (JRE) versions 6 Update 23 and earlier, update to a version that includes the fix for this issue. For Java Runtime Environment (JRE) versions 5.0 Update 27 and earlier, update to a version that includes the fix for this issue. For Java Runtime Environment (JRE) versions 1.4.2 29 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider avoiding the use of the `Double.parseDouble` method with untrusted input until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PHP versions 5.2 through 5.2.16 PHP versions 5.3 through 5.3.4 **Description** The issue allows context-dependent attackers to cause a denial of service, resulting in an infinite loop, via a certain floating-point value in scientific notation. This value is not properly handled in x87 FPU registers, as demonstrated using the value `2.2250738585072011e-308`. **Recommendations** For PHP versions 5.2 through 5.2.16, update to version 5.2.17 or later. For PHP versions 5.3 through 5.3.4, update to version 5.3.5 or later.