In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
The product reads data past the end, or before the beginning, of the intended buffer.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Php | Php | 8.2.0 (including) | 8.2.21 (excluding) |
| Php | Php | 8.3.0 (including) | 8.3.31 (excluding) |
| Php | Php | 8.4.0 (including) | 8.4.21 (excluding) |
| Php | Php | 8.5.0 (including) | 8.5.6 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | php8.4-0:8.4.21-1.el10_2 | * |
| Red Hat Enterprise Linux 10 | RedHat | php-0:8.3.31-1.el10_2 | * |
| Red Hat Enterprise Linux 8 | RedHat | php:8.2-8100020260521052503.f7998665 | * |
| Red Hat Enterprise Linux 8 | RedHat | php:7.4-8100020260604072603.f7998665 | * |
| Red Hat Enterprise Linux 9 | RedHat | php:8.3-9080020260521113736.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | php:8.2-9080020260521080715.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | php-0:8.0.30-6.el9_8 | * |
| Red Hat Hardened Images | RedHat | php-main-8.5.6-1.hum1 | * |
| Php7.0 | Ubuntu | esm-infra/xenial | * |
| Php8.3 | Ubuntu | noble | * |
| Php8.3 | Ubuntu | upstream | * |
| Php8.4 | Ubuntu | questing | * |
| Php8.4 | Ubuntu | upstream | * |
| Php8.5 | Ubuntu | devel | * |
| Php8.5 | Ubuntu | resolute | * |
| Php8.5 | Ubuntu | upstream | * |