Ilija Tovilo

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The PDO Firebird driver improperly handles NUL bytes during the preparation of SQL queries. When constructing queries token-by-token, a string token containing a NUL byte is processed using the `strncat()` function, which terminates at the NUL byte. This action drops the closing quote, causing subsequent SQL tokens to be interpreted as part of the string. This behavior enables SQL injection when attacker-controlled values are quoted using the `PDO::quote()` function and embedded in SQL statements. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** An issue exists in the mbstring extension where passing an encoding name containing an embedded NUL byte to certain functions causes the code to incorrectly assume strings are of equal length when `strncasecmp()` returns 0. This can result in an out-of-bounds read of global memory, which may lead to information disclosure or a system crash. Affected functions include `mb convert encoding()`, `mb detect encoding()`, `mb convert variables()`, and `mb detect order()`. Additionally, the `mbstring.detect order` and `mbstring.http output` INI settings are affected. **Recommendations** Update PHP version 8.4.x to 8.4.21. Update PHP version 8.5.x to 8.5.6.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The `DOMNode::C14N()` method may process XML data incorrectly, leading to the creation of a circular linked list within the data structure that represents the XML document. This flaw can cause subsequent processing of the document to enter an infinite loop, resulting in a denial of service for the application. **Recommendations** Update PHP version 8.4.x to 8.4.21. Update PHP version 8.5.x to 8.5.6. As a temporary workaround, restrict the use of the `DOMNode::C14N()` method when processing untrusted XML data.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** A mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, which results in a segmentation fault and denial of service. This occurs when user-controlled input influences the encoding passed to the `mb regex encoding()` function. **Recommendations** Update to version 8.2.31 or later. Update to version 8.3.31 or later. Update to version 8.4.21 or later. Update to version 8.5.6 or later. As a temporary workaround, restrict user-controlled input from influencing the encoding passed to the `mb regex encoding()` function.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** When SoapServer is configured with `SOAP PERSISTENCE SESSION`, the handler object is persisted across requests using session storage. If a SOAP request results in an error, the persistence is handled incorrectly, causing the object to be freed while a pointer to it remains. This leads to a use-after-free condition, which is a situation where a program continues to use a pointer after it has been freed, potentially resulting in memory corruption, information disclosure, or process crashes. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** A mistake in the decoding process of a SOAP server with a configured typemap causes the system to check the wrong variable when a value element is missing. This results in a NULL pointer dereference, leading to a segmentation fault. A remote unauthenticated attacker can exploit this to crash the PHP SOAP server process, causing a denial of service. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** A use-after-free issue exists in the SOAP extension's object deduplication mechanism, specifically within the `soap add xml ref()` function. The mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, the second entry overwrites the first in the temporary result map, freeing the original PHP object while a stale pointer remains. A subsequent href reference to the freed node can copy this dangling pointer into the result. Since PHP string allocations can reclaim the freed memory region, a remote attacker controlling the SOAP request body can exploit this to achieve remote code execution. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** Certain functions, including `urldecode()`, pass signed characters to ctype functions such as `isxdigit()`. On systems utilizing default signed characters and optimized table-lookup ctype functions, such as NetBSD, this behavior can result in accessing an array with a negative offset, potentially triggering a denial of service. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6