VYPR
← All advisories
Unrated severityOSV Advisory· Published Feb 22, 2019· Updated Aug 4, 2024

CVE-2019-9022

CVE-2019-9022

Description

A buffer over-read in PHP's dns_get_record function allows a malicious DNS server to leak memory via crafted DNS responses.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in PHP's dns_get_record function allows a malicious DNS server to leak memory via crafted DNS responses.

Vulnerability

An out-of-bounds read vulnerability exists in PHP's dns_get_record function, specifically in the php_parserr function in ext/standard/dns.c. The issue affects PHP versions 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. When processing DNS responses for DNS_CAA and DNS_ANY query types, the parser misparses the response, leading to a misuse of memcpy that reads beyond the allocated buffer for DNS data.

Exploitation

An attacker must control a DNS server that responds to a DNS query made by a vulnerable PHP application. No authentication or user interaction is required beyond the application making a dns_get_record call with the affected query types. The attacker crafts a malicious DNS response that triggers the parsing flaw, causing memcpy to read past the buffer boundary.

Impact

Successful exploitation results in an out-of-bounds read, potentially disclosing sensitive memory contents. This information disclosure could leak data such as credentials, session tokens, or other confidential information from the PHP process's memory.

Mitigation

PHP has released fixed versions: 7.1.26, 7.2.14, and 7.3.2. Red Hat has provided updated packages via RHSA-2019:3299 for PHP 7.2.24 [1] and RHSA-2019:2519 for PHP 7.1.30 [2]. Ubuntu has issued updates for Ubuntu 12.04 ESM (USN-3922-3) [3] and Ubuntu 14.04 LTS (USN-3922-2) [4]. Users should upgrade to the latest patched versions or apply vendor-supplied updates. No workaround is available.

References
  1. https://access.redhat.com/errata/RHSA-2019:3299
  2. https://access.redhat.com/errata/RHSA-2019:2519
  3. USN-3922-3: PHP vulnerabilities | Ubuntu security notices | Ubuntu
  4. USN-3922-2: PHP vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

67

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing check for zero-length DNS response data (`dlen=0`) in `php_parserr` leads to a negative length passed to `memcpy`, causing an out-of-bounds read."

Attack vector

An attacker who controls a DNS server (e.g., by configuring a malicious nameserver or performing a man-in-the-middle attack on DNS traffic) can send a crafted DNS response with `rdlength=0` for a CAA or ANY record. The PHP DNS parser in `php_parserr` computes a negative length from this zero-length field, which is not caught by the `CHECKCP` macro, and passes it to `memcpy` via `zend_string_init`. This causes an out-of-bounds read, leading to a segmentation fault or potentially information disclosure [ref_id=1].

Affected code

The vulnerable function is `php_parserr` in `ext/standard/dns.c`, specifically the code path that handles DNS responses for `DNS_CAA` and `DNS_ANY` query types. The parser does not account for `dlen=0`, which causes a negative length value to be passed to `memcpy` via `zend_string_init` in `Zend/zend_string.h` [ref_id=1].

What the fix does

The patch (committed by stas@php.net on 2019-01-07) adds a check for `dlen == 0` in `php_parserr` and aborts parsing of the DNS reply when a zero-length entry is encountered. This prevents the negative length calculation that leads to the out-of-bounds `memcpy`. The fix is conservative — it may cause incomplete parsing of legitimate `ANY` responses with NULL-type records, but it closes the memory-safety hole [ref_id=1].

Preconditions

  • networkThe attacker must control a DNS server that the victim's system queries (e.g., by setting a malicious nameserver in /etc/resolv.conf or intercepting DNS traffic)
  • inputThe PHP application must call dns_get_record() with DNS_CAA or DNS_ANY type

Reproduction

1. Set up a malicious DNS server on 127.0.0.1:53 using the provided server script that sends a crafted response with `rdlength=0` for a CAA record. 2. Configure the victim system to use 127.0.0.1 as its nameserver (e.g., add "nameserver 127.0.0.1" to /etc/resolv.conf). 3. Run `php -r 'dns_get_record("a.a.a", DNS_CAA);'` — this triggers a segmentation fault due to an out-of-bounds `memcpy` with a negative length [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.