CVE-2016-6294

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.5.38 PHP versions 5.6.x prior to 5.6.24 PHP versions 7.x prior to 7.0.9

Description The issue is related to the locale accept from http function in PHP, which does not properly restrict calls to the ICU uloc acceptLanguageFromHTTP function. This allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument.

Recommendations For PHP versions prior to 5.5.38, update to version 5.5.38 or later. For PHP versions 5.6.x prior to 5.6.24, update to version 5.6.24 or later. For PHP versions 7.x prior to 7.0.9, update to version 7.0.9 or later. As a temporary workaround, consider restricting access to the locale accept from http function until a patch is available.