CVE-2015-8616

Vulnerability

A use-after-free vulnerability exists in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x versions before 7.0.1. The function stores pointers to array elements (hashData) in a buffer, then destroys the original array, freeing those elements. Subsequently, the dangling pointers are inserted into a newly initialized array, leading to a use-after-free condition [2].

Exploitation

An attacker can trigger this vulnerability by passing a crafted array to the Collator::sortWithSortKeys method. No authentication or special privileges are required; the attacker only needs the ability to call the function with malicious input. The bug report includes a proof-of-concept using an array of 0xbb elements that results in a null pointer dereference [2].

Impact

Successful exploitation causes a use-after-free, leading to a denial of service (application crash). The official description also notes the possibility of "unspecified other impact," which could include arbitrary code execution depending on memory layout [2].

Mitigation

The vulnerability is fixed in PHP 7.0.1, released shortly after the bug report was closed on 2015-12-22 [2]. Users should upgrade to PHP 7.0.1 or later. No workaround is available.