CVE-2024-11235

NameCVE-2024-11235
DescriptionIn PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php8.4 (PTS)trixie8.4.5-1fixed
sid8.4.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php8.4source(unstable)8.4.5-1

Notes

https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477
Search for package or bug name: Reporting problems