CVE-2019-11049

Name of the Vulnerable Software and Affected Versions PHP versions 7.3.x through 7.3.12 PHP version 7.4.0

Description The issue arises when custom headers are supplied to the mail() function in lowercase, resulting in double-freeing certain memory locations due to a mistake introduced in a specific commit. This can occur in PHP on Windows.

Recommendations For PHP versions 7.3.x through 7.3.12, update to version 7.3.13 or later to resolve the issue. For PHP version 7.4.0, update to a version later than 7.4.0 to resolve the issue. As a temporary workaround, consider avoiding the use of lowercase custom headers in the mail() function until a patch is available.