Critical severity9.8NVD Advisory· Published Sep 17, 2016· Updated May 6, 2026

CVE-2016-7417

Description

ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/php/php-src/commit/ecb7f58a069be0dec4a6131b6351a761f808f22envdIssue TrackingPatch
bugs.php.net/bug.phpnvdExploitIssue Tracking
www.openwall.com/lists/oss-security/2016/09/15/10nvdMailing List
www.php.net/ChangeLog-5.phpnvdRelease Notes
www.php.net/ChangeLog-7.phpnvdRelease Notes
www.securityfocus.com/bid/93007nvd
www.securitytracker.com/id/1036836nvd
access.redhat.com/errata/RHSA-2018:1296nvd
security.gentoo.org/glsa/201611-22nvd
www.tenable.com/security/tns-2016-19nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000