CVE-2014-9426

Vulnerability

The apprentice_load function in libmagic/apprentice.c of the Fileinfo component in PHP through 5.6.4 attempts to perform a efree() operation on a stack-based character array (mfn). This is an invalid free because stack-allocated memory cannot be freed with the heap deallocator. The code path is reachable when processing certain file inputs. The issue was reported in PHP bug #68665 [1] and affects PHP versions 5.6.4 and earlier.

Exploitation

An attacker can trigger this vulnerability by providing a crafted file that causes the apprentice_load function to execute the erroneous efree() call. No authentication or special privileges are required; the attack can be performed remotely by sending a malicious file to a PHP application that uses the Fileinfo component (e.g., via file upload or finfo functions). The exact sequence of steps is not publicly detailed, but the bug report confirms the invalid free is reachable.

Impact

Successful exploitation leads to memory corruption or an application crash, resulting in a denial of service (DoS). The vendor disputes the severity, arguing that the standard erealloc behavior makes the free operation unreachable in practice. However, the bug report indicates the issue was fixed, suggesting it could be triggered under certain conditions. The impact is limited to availability; no code execution or information disclosure has been demonstrated.

Mitigation

The vulnerability was fixed in a later PHP release. According to the bug report [1], the fix was applied and the bug closed on 2014-12-28. Users should upgrade to PHP 5.6.5 or later, or apply the provided patch. No workaround is available for unpatched versions. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.