CVE-2017-11628
Description
PHP parse_ini_string/parse_ini_file functions allow stack buffer overflow in zend_ini_do_op(), enabling denial of service or code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP parse_ini_string/parse_ini_file functions allow stack buffer overflow in zend_ini_do_op(), enabling denial of service or code execution.
Vulnerability
A stack-based buffer overflow exists in the zend_ini_do_op() function in Zend/zend_ini_parser.c in PHP versions before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7 [1][2]. The vulnerability occurs when specially crafted input is passed via parse_ini_string() or parse_ini_file(). This is only reachable in applications that accept untrusted INI content (e.g., web-based syntax validators), not from the standard php.ini file [2]. The function copies a string into a fixed-size stack buffer (str_result) without proper length validation, potentially writing one byte past the buffer boundary [2].
Exploitation
An attacker who can provide malicious input to a PHP application using either parse_ini_string() or parse_ini_file() can trigger the overflow by supplying an INI directive value with a specific numeric interpretation that forces zend_ini_do_op() to perform a copy beyond the allocated buffer size [2]. The overflow writes a single NULL byte or an integer representation past the bounds of the stack buffer. On systems without stack smashing protection, this may corrupt adjacent variables or the return address [2]. No authentication or special network position is required beyond the ability to submit arbitrary INI data.
Impact
Successful exploitation can lead to a denial of service (e.g., crash due to stack smashing detection) or, depending on compiler optimizations and stack layout, arbitrary code execution with the privileges of the PHP process [1][2]. The impact is limited to applications that expose INI parsing to untrusted data, but a full remote code execution scenario is considered possible [2].
Mitigation
The vulnerability is fixed in PHP 5.6.31, 7.0.21, and 7.1.7 [2]. Red Hat Software Collections shipped a patched version (rh-php70-php 7.0.27) as part of RHSA-2018:1296 [1]. Gentoo Linux also provides updated packages >=dev-lang/php-5.6.31 and >=dev-lang/php-7.0.23 [3]. Upgrading to the fixed version is the recommended mitigation. No workaround is available for unpatched installations; disabling the vulnerable functions is a potential but operationally restrictive measure [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
38cpe:2.3:a:php:php:*:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*range: <=5.6.30
- cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:7.1.6:*:*:*:*:*:*:*
- osv-coords9 versionspkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 5.3.17-112.5.1+ 8 more
- (no CPE)range: < 5.3.17-112.5.1
- (no CPE)range: < 5.3.17-112.5.1
- (no CPE)range: < 5.3.17-112.5.1
- (no CPE)range: < 5.5.14-109.5.1
- (no CPE)range: < 5.5.14-109.5.1
- (no CPE)range: < 5.5.14-109.5.1
- (no CPE)range: < 7.0.7-50.9.2
- (no CPE)range: < 7.0.7-50.9.2
- (no CPE)range: < 7.0.7-50.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.securityfocus.com/bid/99489nvdThird Party AdvisoryVDB Entry
- bugs.php.net/bug.phpnvdIssue TrackingThird Party Advisory
- git.php.netnvd
- git.php.netnvd
- access.redhat.com/errata/RHSA-2018:1296nvd
- security.gentoo.org/glsa/201709-21nvd
- security.netapp.com/advisory/ntap-20180112-0001/nvd
- www.debian.org/security/2018/dsa-4080nvd
- www.debian.org/security/2018/dsa-4081nvd
News mentions
0No linked articles in our index yet.