Your submission was sent successfully! Close

CVE-2016-9138

Published: 4 January 2017

PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.

Notes

AuthorNote
mdeslaur
should not unserialize untrusted data

CVE-2016-9137 was for the ext/curl/curl_file.c vulnerability
that was fixed in the same bug. This CVE is for the remaining
security problem associated with __wakeup, which, as far as I
can tell is still unfixed as of 2020-06-23
rodrigo-zaiden
As of 2022-02-04, there is still no upstream fix.
PHP Bug 73147 is mainly for CVE-2016-9137 and does not have
information for a new bug for CVE-2016-9138.
Suse has an indication that it might have been fixed along
with CVE-2016-7479 patch, but this is not perfectly clear.
Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Not vulnerable

trusty Deferred

upstream Needs triage

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:
upstream: https://github.com/microsoft/php-src/commit/0e6fe3a4c96be2d3e88389a5776f878021b4c59f#diff-246862e485897a77cdcef1c52d473a52
php7.0
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Deferred

yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
php7.2
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Deferred

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

php7.4
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Deferred

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

php8.0
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Ignored
(reached end-of-life)
jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

php8.1
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Deferred

trusty Does not exist

upstream Needs triage

xenial Does not exist