Unrated severityCISA KEVNVD Advisory· Published Oct 28, 2019· Updated Oct 21, 2025
Underflow in PHP-FPM can lead to RCE
CVE-2019-11043
Description
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
26- lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.htmlmitrevendor-advisoryx_refsource_SUSE
- access.redhat.com/errata/RHSA-2019:3286mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3287mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3299mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3300mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3724mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3735mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3736mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0322mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4166-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4166-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4552mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2019/dsa-4553mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Jan/40mitremailing-listx_refsource_FULLDISC
- bugs.php.net/bug.phpmitrex_refsource_CONFIRM
- seclists.org/bugtraq/2020/Jan/44mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20191031-0003/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210919mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K75408500mitrex_refsource_CONFIRM
- www.synology.com/security/advisory/Synology_SA_19_36mitrex_refsource_CONFIRM
- www.tenable.com/security/tns-2021-14mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.