CVE-2016-3132

Vulnerability

A double-free vulnerability exists in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x versions before 7.0.6 [1][2]. When an invalid index (negative or beyond the list count) is passed, the code path frees the value zval via zval_ptr_dtor(value) at line 833, then throws an OutOfRangeException. However, the engine's call stack cleanup in zend_vm_stack_free_args subsequently frees the same zval, triggering a double-free [2]. This affects all versions in the 7.x branch up to and including 7.0.5.

Exploitation

An attacker can trigger the vulnerability by calling offsetSet on a SplDoublyLinkedList (or SplStack/SplQueue) with an out-of-range index and a controlled value (e.g., a DateTime object) [2]. No authentication or special position is required if the attacker can supply input that reaches this code path (e.g., via a web request that uses the SPL class). The provided proof‑of‑concept script demonstrates that the double-free corrupts heap memory and can lead to arbitrary code execution by overwriting a function pointer [2].

Impact

Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the PHP process [4]. The CVSS v3 base score is 9.8 (Critical). The double-free corrupts the heap, giving the attacker control over program flow. This can lead to full system compromise depending on the environment.

Mitigation

The fix was committed in PHP commit 28a6ed9f9a36b9c517e4a8a429baf4dd382fc5d5 [3], which removes the problematic zval_ptr_dtor(value) call, landing in PHP 7.0.6 [1]. Users must upgrade to PHP 7.0.6 or later. No workaround is available; the affected versions are end‑of‑life for security support. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.