VYPR
← All advisories
High severity7.3NVD Advisory· Published Jan 19, 2016· Updated May 6, 2026

CVE-2015-6832

CVE-2015-6832

Description

Use-after-free in PHP's SPL unserialization allows arbitrary code execution via crafted serialized data that misuses an array field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in PHP's SPL unserialization allows arbitrary code execution via crafted serialized data that misuses an array field.

Vulnerability

A use-after-free vulnerability exists in the SPL unserialize implementation within ext/spl/spl_array.c in PHP. The bug affects PHP versions before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 [1][2]. During unserialization of an ArrayObject, a dangling pointer to a zval is inadvertently created. By crafting serialized data that misuses an array field, an attacker can cause this dangling pointer to be swapped into the array field of the spl_array_object [2].

Exploitation

An attacker needs to provide crafted serialized data to a PHP application that calls unserialize() on user-controlled input. No authentication or special network position beyond being able to deliver the serialized payload is required [2]. The exploit sequence involves: first, triggering the dangling pointer by the unserialization flaw; second, causing the deallocated zval to be reallocated and initialized with attacker-controlled data; and finally, leveraging the forged zval to execute arbitrary code [2].

Impact

Successful exploitation allows remote attackers to execute arbitrary code on the target system. The attacker gains control over the zval structure pointer, which can be manipulated to set type to IS_ARRAY and rewrite the ht field to point to a forged HashTable. On destruction, if that forged HashTable contains a pointer to a destructor function, it will be called, leading to code execution [2].

Mitigation

PHP fixed this issue in versions 5.4.44, 5.5.28, and 5.6.12 [1][2]. Users should upgrade to these or later versions. For Gentoo Linux systems, the recommended upgrade is to version 5.5.33 or later for PHP 5.5, and 5.6.19 or later for 5.6 [3]. No workarounds are known; the only mitigation is to apply the patch [3].

References
  1. PHP: PHP 5 ChangeLog
  2. Dangling pointer in the unserialization of ArrayObject items
  3. Multiple vulnerabilities (GLSA 201606-10) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

61
  • PHP/PHP59 versions
    cpe:2.3:a:php:php:*:*:*:*:*:*:*:*+ 58 more
    • cpe:2.3:a:php:php:*:*:*:*:*:*:*:*range: <=5.4.43
    • cpe:2.3:a:php:php:5.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:alpha4:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:alpha5:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:alpha6:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.18:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.19:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.20:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.21:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.22:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.23:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.24:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.25:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.26:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.27:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:alpha4:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:alpha5:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.10:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.11:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.6.9:*:*:*:*:*:*:*
    • (no CPE)range: <=5.4.44 || >=5.5.0 <5.5.28 || >=5.6.0 <5.6.12
  • osv-coords2 versions
    pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012
    < 5.5.14-36.1+ 1 more
    • (no CPE)range: < 5.5.14-36.1
    • (no CPE)range: < 5.5.14-36.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.