CVE-2022-31626

CVE-2022-31626 php: password of excessive length triggers buffer overflow leading to RCE

Publication Date	2022-05-16
Severity	High
Type	Remote Code Execution
Affected PHP Versions	5.6.0 - 5.6.40 7.1.0 - 7.1.33 7.2.0 - 7.2.34 7.3.0 - 7.3.33 7.4.0 - 7.4.29 8.0.0 - 8.0.19 8.1.0 - 8.1.6
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendServer 8.5.19 ZendServer 9.1.14 ZendServer 2019.1.1 ZendServer 2021.2.0

CVE Details

When using the PDO_MySQL extension with the mysqlnd driver, if a third party is allowed to supply the host and credentials with which to connect, a password of excessive length can trigger a buffer overflow in PHP, leading to a remote code execution vulnerability.

Recommendations

If you use the PDO_MySQL extension with the mysqlnd driver, you should upgrade to a patched version of PHP.

If you cannot, consider adding validation to password that rejects passwords of abnormal length. As an example:

if (strlen($password) > 128) {
    throw new RuntimeException('Invalid password');
}

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations