CVE-2016-9935

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.29 PHP versions 7.x prior to 7.0.14

Description The issue is related to the php wddx push element function, which allows remote attackers to cause a denial of service or possibly have other impacts via an empty boolean element in a wddxPacket XML document. This can lead to an out-of-bounds read and memory corruption. The vulnerability is caused by a buffer overflow read.

Recommendations For PHP versions prior to 5.6.29, update to version 5.6.29 or later. For PHP versions 7.x prior to 7.0.14, update to version 7.0.14 or later. As a temporary workaround, consider restricting the use of the php wddx push element function until a patch is available. Avoid using empty boolean elements in wddxPacket XML documents to minimize the risk of exploitation.