CVE-2017-12934

Vulnerability

In PHP versions 7.0.x before 7.0.21 and 7.1.x before 7.1.7, the unserialize() function in ext/standard/var_unserializer.re is vulnerable to a heap use-after-free when processing specially crafted serialized data. The issue occurs in the zval_get_type function defined in Zend/zend_types.h due to improper memory handling during unserialization. Affected versions: PHP 7.0.0 to 7.0.20, PHP 7.1.0 to 7.1.6.

Exploitation

An attacker can exploit this vulnerability by providing a malicious serialized string to any PHP application that calls unserialize() on untrusted input. No authentication or special network position is required beyond the ability to supply the serialized data (e.g., via HTTP parameters, file uploads, or stored data). The specific crafted payload triggers a read operation on freed memory, leading to a use-after-free condition. The proof-of-concept was provided in the bug report [3].

Impact

Successful exploitation results in a heap use-after-free read, which can cause a crash (denial of service) or potentially lead to arbitrary code execution depending on the heap state. The CVSS score is 7.5, reflecting high severity. The impact is primarily on the integrity and availability of PHP applications.

Mitigation

The vulnerability is fixed in PHP 7.0.21 and 7.1.7, released on August 3, 2017 [1][3]. Users should upgrade to these versions or later. No workarounds are available other than not using unserialize() on untrusted data. For Red Hat Software Collections, the fix is included in rh-php70-php 7.0.27.