In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
The product reads data past the end, or before the beginning, of the intended buffer.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Php | Php | 8.2.0 (including) | 8.2.31 (excluding) |
| Php | Php | 8.3.0 (including) | 8.3.31 (excluding) |
| Php | Php | 8.4.0 (including) | 8.4.21 (excluding) |
| Php | Php | 8.5.0 (including) | 8.5.6 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | php8.4-0:8.4.21-1.el10_2 | * |
| Red Hat Enterprise Linux 10 | RedHat | php-0:8.3.31-1.el10_2 | * |
| Red Hat Enterprise Linux 8 | RedHat | php:8.2-8100020260521052503.f7998665 | * |
| Red Hat Enterprise Linux 8 | RedHat | php:7.4-8100020260604072603.f7998665 | * |
| Red Hat Enterprise Linux 9 | RedHat | php:8.3-9080020260521113736.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | php:8.2-9080020260521080715.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | php-0:8.0.30-6.el9_8 | * |
| Php7.0 | Ubuntu | esm-infra/xenial | * |
| Php8.1 | Ubuntu | jammy | * |
| Php8.3 | Ubuntu | noble | * |
| Php8.3 | Ubuntu | upstream | * |
| Php8.4 | Ubuntu | questing | * |
| Php8.4 | Ubuntu | upstream | * |
| Php8.5 | Ubuntu | devel | * |
| Php8.5 | Ubuntu | resolute | * |
| Php8.5 | Ubuntu | upstream | * |