Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2022-31626 php: password of excessive length triggers buffer overflow leading to RCE
When using the PDO_MySQL extension with the mysqlnd driver, if a third party is allowed to supply the host and credentials with which to connect, a password of excessive length can trigger a buffer overflow in PHP, leading to a remote code execution vulnerability.
If you use the PDO_MySQL extension with the mysqlnd driver, you should upgrade to a patched version of PHP.
If you cannot, consider adding validation to password that rejects passwords of abnormal length. As an example:
if (strlen($password) > 128) { throw new RuntimeException('Invalid password'); }
Direct link to CVE-2022-31626 >
< View all CVEs