CVE-2016-5768

Vulnerability

The _php_mb_regex_ereg_replace_exec function in php_mbregex.c within the mbstring extension contains a double free vulnerability. The bug is reachable when a callback exception is triggered during mb_ereg_replace_callback or related operations. Affected versions include PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 [1][2][4].

Exploitation

An attacker can exploit this by supplying a crafted regular expression pattern and replacement callback that throws an exception during execution. No special authentication is required for remote exploitation; any network-accessible endpoint using the vulnerable mbstring functions (e.g., mb_ereg_replace_callback) can trigger the flaw. The double free occurs when the internal error handling fails to properly clean up allocated memory after the exception [1].

Impact

Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the PHP process or cause a denial of service (application crash). The vulnerability has a CVSS v3 score of 9.8 (Critical) indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is fixed in PHP versions 5.5.37, 5.6.23, and 7.0.8 [1][2][4]. Red Hat has released updated packages in RHSA-2016-2750 and RHSA-2016-2598 for Red Hat Enterprise Linux and Software Collections [1][3]. Users should upgrade to the latest patched versions immediately. No workarounds are documented.