CVE-2016-5770
Description
Integer overflow in PHP's SplFileObject::fread allows remote attackers to cause denial of service or possibly other unspecified impact via a large integer argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in PHP's SplFileObject::fread allows remote attackers to cause denial of service or possibly other unspecified impact via a large integer argument.
Vulnerability
Integer overflow vulnerability in the SplFileObject::fread function in spl_directory.c of the SPL extension in PHP. Affects PHP versions before 5.5.37 and 5.6.x before 5.6.23 [2]. The issue occurs when a large integer argument is passed to fread, leading to an integer overflow. This is related to CVE-2016-5096.
Exploitation
An attacker can exploit this remotely by providing a crafted large integer value to the fread method of a SplFileObject instance. No authentication is required; the attacker only needs to trigger the vulnerable code path, for example through a web application that accepts user input for file reading operations.
Impact
Successful exploitation can cause a denial of service (crash) or potentially lead to other unspecified impacts, such as memory corruption or arbitrary code execution, depending on the environment. The exact impact is not fully detailed in available references.
Mitigation
Upgrade to PHP 5.5.37, 5.6.23, or later. Red Hat Software Collections provided an update to rh-php56 5.6.25 in RHSA-2016:2750 [1]. No workaround is documented; applying the patch is recommended.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- osv-coords2 versionspkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1
< 5.5.14-68.1+ 1 more
- (no CPE)range: < 5.5.14-68.1
- (no CPE)range: < 5.5.14-68.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/php/php-src/commit/7245bff300d3fa8bacbef7897ff080a6f1c23ebanvdPatchThird Party Advisory
- php.net/ChangeLog-5.phpnvdPatchRelease NotesVendor Advisory
- www.openwall.com/lists/oss-security/2016/06/23/4nvdMailing ListPatchThird Party Advisory
- bugs.php.net/bug.phpnvdExploitIssue TrackingVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2016-08/msg00003.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-2750.htmlnvdThird Party Advisory
- www.debian.org/security/2016/dsa-3618nvdThird Party Advisory
- www.securityfocus.com/bid/91403nvdThird Party AdvisoryVDB Entry
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party Advisory
- support.apple.com/HT207170nvdThird Party Advisory
- lists.apple.com/archives/security-announce/2016/Sep/msg00006.htmlnvdBroken LinkMailing List
News mentions
0No linked articles in our index yet.