CVE-2016-7416

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.26 PHP versions 7.x prior to 7.0.11

Description The issue is caused by a buffer overflow in the ext/intl/msgformat/msgformat format.c component of the PHP interpreter. This can be exploited by a remote attacker to cause a denial of service through a call to MessageFormatter::formatMessage. The problem arises from the improper restriction of the locale length provided to the Locale class in the ICU library, allowing attackers to potentially crash the application or have other unspecified impacts by making a MessageFormatter::formatMessage call with a long first argument.

Recommendations For PHP versions prior to 5.6.26, update to version 5.6.26 or later. For PHP versions 7.x prior to 7.0.11, update to version 7.0.11 or later. As a temporary workaround, consider restricting the use of the MessageFormatter::formatMessage function with long arguments until a patch is available.