PHP up to 5.5.33/5.6.19/5.22/7.0.4 Continuation-Level Jump funcs.c file_check_mem buffer overflow

Summaryinfo

A vulnerability classified as critical has been found in PHP up to 5.5.33/5.6.19/5.22/7.0.4. This affects the function file_check_mem of the file funcs.c of the component Continuation-Level Jump Handler. The manipulation leads to buffer overflow. This vulnerability is documented as CVE-2015-8865. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in PHP up to 5.5.33/5.6.19/5.22/7.0.4. It has been rated as critical. This issue affects the function file_check_mem of the file funcs.c of the component Continuation-Level Jump Handler. The manipulation with an unknown input leads to a buffer overflow vulnerability. Using CWE to declare the problem leads to CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Impacted is confidentiality, integrity, and availability.

The advisory is shared at bugs.php.net. The identification of this vulnerability is CVE-2015-8865. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 05/12/2025).

Upgrading to version 5.5.34, 5.6.20, 5.23 or 7.0.5 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.php.net. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 5.0
• 5.1
• 5.2
• 5.3
• 5.4
• 5.5
• 5.5.0
• 5.5.1
• 5.5.2
• 5.5.3
• 5.5.4
• 5.5.5
• 5.5.6
• 5.5.7
• 5.5.8
• 5.5.9
• 5.5.10
• 5.5.11
• 5.5.12
• 5.5.13
• 5.5.14
• 5.5.15
• 5.5.16
• 5.5.17
• 5.5.18
• 5.5.19
• 5.5.20
• 5.5.21
• 5.5.22
• 5.5.23
• 5.5.24
• 5.5.25
• 5.5.26
• 5.5.27
• 5.5.28
• 5.5.29
• 5.5.30
• 5.5.31
• 5.5.32
• 5.5.33
• 5.6
• 5.6.0
• 5.6.1
• 5.6.2
• 5.6.3
• 5.6.4
• 5.6.5
• 5.6.6
• 5.6.7
• 5.6.8
• 5.6.9
• 5.6.10
• 5.6.11
• 5.6.12
• 5.6.13
• 5.6.14
• 5.6.15
• 5.6.16
• 5.6.17
• 5.6.18
• 5.6.19
• 5.7
• 5.8
• 5.9
• 5.10
• 5.11
• 5.12
• 5.13
• 5.14
• 5.15
• 5.16
• 5.17
• 5.18
• 5.19
• 5.20
• 5.21
• 5.22
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion