Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
Beginning to advanced PHP classes to learn and earn global certification.
Help me choose >
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2021-21708 php: Use after free due to php_filter_float() failing
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result in crashes, and potentially in overwrite of other memory chunks and RCE.
Consider using a different mechanism for validating a float. As an example, the following function accomplishes equivalent validation: ```php function validateFloat(mixed $value, float $min, float $max, bool $filterNullOnFailure = false): null|bool|float { if (! is_float($value) && ! is_numeric($value)) { return $filterNullOnFailure ? null : false; } $value = (float) $value; if ($min > $value || $max < $value) { return $filterNullOnFailure ? null : false; } return $value; } ``` Alternately, update to PHP 8.1.3, 8.0.16, 7.4.28, 7.3.33, ZendPHP 7.2.34.8, ZendPHP 7.1.33.12, or ZendPHP 5.6.40.15.
Direct link to CVE-2021-21708 >
< View all CVEs