VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 7, 2018· Updated Aug 5, 2024

CVE-2018-19935

CVE-2018-19935

Description

A NULL pointer dereference in PHP's imap_mail() function allows remote attackers to crash the application via an empty string message argument.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in PHP's imap_mail() function allows remote attackers to crash the application via an empty string message argument.

Vulnerability

In PHP versions 5.x and 7.x before 7.3.0, the imap_mail() function in ext/imap/php_imap.c contains a NULL pointer dereference vulnerability. When the message parameter is an empty string or not provided, the internal function _php_imap_mail does not validate the input before passing it to fprintf, leading to a segmentation fault [1]. The bug is triggered in PHP 7.2.11 and earlier versions [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to a PHP application that calls imap_mail() with an empty string as the message argument. No authentication is required if the application exposes this function to untrusted input. The attacker only needs to trigger the vulnerable code path, resulting in immediate denial of service [1].

Impact

Successful exploitation causes a NULL pointer dereference, leading to an application crash (denial of service). The impact is limited to availability; no data confidentiality or integrity is compromised. The crash occurs in the context of the PHP process [1].

Mitigation

The fix is included in PHP version 7.3.0, released on December 6, 2018 [1]. Users should upgrade to PHP 7.3.0 or later. For PHP 5.x and 7.0–7.2 branches, no official patches have been backported; upgrading to 7.3.0 is recommended. There is no workaround if the imap_mail() function must be used with untrusted input.

References
  1. null pointer dereference in imap_mail

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The imap_mail function dereferences a NULL pointer when the message argument is an empty string."

Attack vector

A remote attacker can trigger this vulnerability by calling the imap_mail function with an empty string as the message argument [ref_id=1]. This leads to a NULL pointer dereference within the `_php_imap_mail` function, causing the application to crash [ref_id=1].

Affected code

The vulnerability exists in the `ext/imap/php_imap.c` file, specifically within the `_php_imap_mail` function, around line 4065, where the `message` argument is used in an `fprintf` call [ref_id=1].

What the fix does

The advisory indicates that the vulnerability is fixed in PHP versions 5.6.39, 7.0.33, 7.1.26, 7.2.14, and 7.3.0. The specific patch details are not provided in the bundle, but the fix likely involves adding validation to ensure the message argument is not NULL before dereferencing it.

Preconditions

  • inputThe `imap_mail` function must be called with an empty string as the `message` argument.

Reproduction

<?php imap_mail('1', 1, NULL); ?>

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.