CVE-2021-21708

Name of the Vulnerable Software and Affected Versions PHP versions 7.4.x through 7.4.27 PHP versions 8.0.x through 8.0.15 PHP versions 8.1.x through 8.1.2

Description The issue is related to the use of filter functions with the FILTER VALIDATE FLOAT filter and min/max limits in PHP. If the filter fails, there is a possibility to trigger the use of allocated memory after it has been freed, which can result in crashes and potentially allow for the overwrite of other memory chunks and remote code execution (RCE). This issue affects code that uses FILTER VALIDATE FLOAT with min/max limits. The exploitation of this issue may allow a remote attacker to execute arbitrary code by providing specially crafted input to an application using the affected PHP function, causing a use-after-free error and leading to a crash of the php-fpm process.

Recommendations For PHP versions 7.4.x through 7.4.27, update to version 7.4.28 or later to resolve the issue. For PHP versions 8.0.x through 8.0.15, update to version 8.0.16 or later to resolve the issue. For PHP versions 8.1.x through 8.1.2, update to version 8.1.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of FILTER VALIDATE FLOAT with min/max limits until a patch is available.