Critical severity9.1NVD Advisory· Published Aug 7, 2016· Updated May 6, 2026

CVE-2016-5114

Description

sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

php.net/ChangeLog-5.phpnvdPatchRelease Notes
php.net/ChangeLog-7.phpnvdPatchRelease Notes
www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-enginenvdPatchThird Party Advisory
bugs.php.net/bug.phpnvdExploit
www.openwall.com/lists/oss-security/2016/05/29/1nvdRelease Notes
github.com/php/php-src/commit/2721a0148649e07ed74468f097a28899741eb58fnvd
rhn.redhat.com/errata/RHSA-2016-2750.htmlnvd
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000