PT-2022-5981 · Unknown+10 · Gd Extension+10
Cmb
+1
·
Published
2022-10-27
·
Updated
2025-08-11
·
CVE-2022-31630
CVSS v3.1
7.1
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
PHP versions prior to 7.4.33, 8.0.25 and 8.1.12
Description
The issue is related to the
imageloadfont() function in the gd extension, which can be exploited by providing a specially crafted font file. When the loaded font is used with the imagechar() function, it can lead to reading outside the allocated buffer, resulting in crashes or disclosure of confidential information.Recommendations
For PHP versions prior to 7.4.33, update to version 7.4.33 or later.
For PHP versions prior to 8.0.25, update to version 8.0.25 or later.
For PHP versions prior to 8.1.12, update to version 8.1.12 or later.
As a temporary workaround, consider disabling the
imageloadfont() function in the gd extension until a patch is available.
Restrict access to the gd extension to minimize the risk of exploitation.
Avoid using the imagechar() function with loaded fonts from untrusted sources until the issue is resolved.Exploit
Fix
Out of bounds Read
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Php
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Gd Extension