CVE-2016-10162 in PHP
Summary
by MITRE
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2016-10162 represents a critical denial of service weakness affecting PHP versions 7.0.x prior to 7.0.15 and 7.1.x prior to 7.1.1. This flaw resides within the php_wddx_pop_element function located in the ext/wddx/wddx.c file of the PHP source code. The vulnerability manifests when processing WDDX (Web Distributed Data Exchange) XML documents through the wddx_deserialize function, creating a scenario where malformed input can trigger system instability. The issue specifically occurs when an inapplicable class name is present within a wddxPacket XML structure, causing the application to attempt operations on null pointers during deserialization processes.
The technical exploitation of this vulnerability involves the manipulation of WDDX packet XML documents to include class names that do not correspond to valid PHP classes or objects. When the wddx_deserialize function processes these malformed documents, it invokes php_wddx_pop_element which fails to properly validate the class references before attempting to dereference them. This NULL pointer dereference results in immediate application crashes and system instability, effectively creating a denial of service condition that can be triggered remotely by any attacker capable of sending specially crafted WDDX XML data to a vulnerable PHP application. The flaw operates at the core level of PHP's WDDX processing functionality, making it particularly dangerous as it can affect any application utilizing WDDX serialization or deserialization features.
From an operational perspective, this vulnerability poses significant risks to web applications that rely on PHP's WDDX capabilities for data exchange or communication between systems. The remote attack vector means that malicious actors can exploit this weakness without requiring local system access or authentication, making it particularly attractive for attackers seeking to disrupt services. The impact extends beyond simple application crashes to potentially affect entire server availability, especially in environments where multiple applications depend on WDDX processing. Organizations using vulnerable PHP versions may experience service interruptions, increased system load from repeated crash attempts, and potential data loss during crash recovery scenarios. The vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions, and represents a classic example of how improper input validation can lead to system instability.
Mitigation strategies for this vulnerability require immediate patching of affected PHP installations to versions 7.0.15 or 7.1.1 and later, which contain the necessary code fixes to properly validate class references during WDDX deserialization. System administrators should also implement network-level filtering to restrict access to WDDX processing endpoints where possible, and consider disabling WDDX functionality entirely if it is not essential for application operations. Additionally, organizations should enhance their input validation procedures and implement proper error handling for XML processing components to prevent similar issues from manifesting in other parts of their applications. The ATT&CK framework categorizes this vulnerability under privilege escalation and denial of service tactics, highlighting the need for comprehensive security monitoring and incident response procedures to detect and respond to exploitation attempts. Regular security assessments and vulnerability scanning should be conducted to identify other potential weaknesses in PHP applications that might be similarly affected by improper input handling or memory management issues.