Critical severity9.8NVD Advisory· Published May 16, 2016· Updated May 6, 2026

CVE-2015-6834

Description

Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

php.net/ChangeLog-5.phpnvd
www.debian.org/security/2015/dsa-3358nvd
www.securityfocus.com/bid/76649nvd
www.securitytracker.com/id/1033548nvd
bugs.php.net/bug.phpnvd
bugs.php.net/bug.phpnvd
bugs.php.net/bug.phpnvd
security.gentoo.org/glsa/201606-10nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.030
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000