VYPR
Unrated severityNVD Advisory· Published Apr 4, 2025· Updated Feb 26, 2026

Reference counting in php_request_shutdown causes Use-After-Free

CVE-2024-11235

Description

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

143

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.