High severity7.5NVD Advisory· Published Jul 10, 2017· Updated May 13, 2026

CVE-2017-11143

Description

In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.

Affected products

PHP/PHP
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Range: <=5.6.30

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

openwall.com/lists/oss-security/2017/07/10/6nvdMailing ListPatchThird Party Advisory
bugs.php.net/bug.phpnvdIssue TrackingPatchVendor Advisory
php.net/ChangeLog-5.phpnvdRelease NotesVendor Advisory
www.securityfocus.com/bid/99553nvd
access.redhat.com/errata/RHSA-2018:1296nvd
security.netapp.com/advisory/ntap-20180112-0001/nvd
www.debian.org/security/2018/dsa-4081nvd
www.tenable.com/security/tns-2017-12nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000