CVE-2006-4812 in PHP
Summary
by MITRE
Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/23/2026
The vulnerability described in CVE-2006-4812 represents a critical integer overflow flaw within the PHP runtime environment that affects versions up to 5.1.6 and before 4.3.0. This issue resides in the Zend Engine's memory allocation mechanism, specifically within the ecalloc function located in Zend/zend_alloc.c. The vulnerability manifests when the unserialize function processes serialized data containing a maliciously crafted argument that specifies an excessive number of array elements. The flaw occurs because the system fails to properly validate or constrain the integer values used to calculate memory allocation requirements, creating a scenario where arithmetic overflow can occur during the computation of memory needed for array element storage. This particular vulnerability is classified under CWE-190 as an integer overflow or wraparound, which represents a well-known class of memory safety issues that can lead to unpredictable behavior and potential code execution.
The operational impact of this vulnerability extends far beyond simple memory corruption, as it provides remote attackers with a pathway to arbitrary code execution on affected systems. When the unserialize function encounters a serialized payload with an inflated array element count, the integer overflow in the ecalloc function causes the memory allocation calculation to wrap around to a small value, while the actual memory allocation process attempts to allocate memory based on the overflowed large value. This discrepancy creates a situation where attackers can manipulate the memory allocation process to overwrite adjacent memory regions, potentially leading to stack corruption, heap corruption, or other memory layout disruptions. The vulnerability can be exploited through various attack vectors including web applications that deserialize user-supplied input, file uploads, or any mechanism that accepts serialized PHP data without proper validation. According to ATT&CK framework, this vulnerability maps to T1210 - Exploitation of Remote Services and T1059 - Command and Scripting Interpreter, as it enables attackers to execute arbitrary code on target systems.
The technical exploitation of this vulnerability requires attackers to craft a serialized PHP object with a carefully constructed array element count that will trigger the integer overflow when processed by the unserialize function. The attack typically involves creating a serialized string that contains a large integer value for array size, which when parsed by the Zend Engine causes the ecalloc function to compute an incorrect memory allocation size. This flaw is particularly dangerous because it can be triggered through web-based attacks where serialized data is passed as parameters or uploaded files, making it accessible to remote attackers without requiring local system access. The vulnerability demonstrates the critical importance of input validation and memory safety in interpreted languages, as the issue stems from inadequate bounds checking in the memory management layer of the PHP interpreter. Organizations running affected PHP versions should immediately implement mitigations including upgrading to patched versions, implementing strict input validation for serialized data, and employing web application firewalls to filter suspicious serialized content. The vulnerability also highlights the necessity of proper integer handling in low-level system functions, particularly those involved in memory allocation and management, as similar issues have been documented in other languages and systems where integer overflows have led to similar security consequences.