CVE-2024-11235

Reference counting in php_request_shutdown causes Use-After-Free

Severity Score

9.2

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

A flaw was found in PHP. This vulnerability allows remote code execution via a crafted code path involving the __set magic method or the null coalescing assignment (??=) operator, in combination with exception handling. Attackers can trigger a use-after-free condition by controlling the memory layout through specially crafted inputs.

It was discovered that PHP incorrectly handle certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. It was discovered that PHP incorrectly handle certain folded headers. An attacker could possibly use this issue to cause a crash or execute arbitrary code. It was discovered that PHP incorrectly handled certain headers. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS Ubuntu 24.10, and Ubuntu 24.04 LTS.

*Credits: Junwha Hong

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-11-15 CVE Reserved
2025-04-01 CVE Published
2025-04-05 CVE Updated
2025-05-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (3)

URL	Tag	Source
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-11235	2025-05-13
https://bugzilla.redhat.com/show_bug.cgi?id=2357531	2025-05-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.4.0 < 8.4.5 Search vendor "PHP Group" for product "PHP" and version " >= 8.4.0 < 8.4.5"		en		Affected
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.3.0 < 8.3.19 Search vendor "PHP Group" for product "PHP" and version " >= 8.3.0 < 8.3.19"		en		Affected