CVE-2016-5093

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.5.36 PHP versions 5.6.x prior to 5.6.22 PHP versions 7.x prior to 7.0.7

Description The issue is related to the get icu value internal function in PHP, which does not ensure the presence of a '0' character. This allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale get primary language call. The vulnerability is associated with out-of-bounds reading in memory.

Recommendations For PHP versions prior to 5.5.36, update to version 5.5.36 or later. For PHP versions 5.6.x prior to 5.6.22, update to version 5.6.22 or later. For PHP versions 7.x prior to 7.0.7, update to version 7.0.7 or later. As a temporary workaround, consider restricting the use of the locale get primary language function until a patch is available.