CVE-2022-31630 php: OOB read due to insufficient input validation in imageloadfont()

Publication Date2022-10-27
SeverityCritical
TypeCross-Site Request Forgery
Affected PHP Versions
  • 7.4.0 - 7.4.32
  • 8.0.0 - 8.0.24
  • 8.1.0 - 8.1.11
Fixed Product Versions
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendServer 2021.3.0

CVE Details

An out-of-bounds read flaw was found in PHP due to insufficient input validation in the imageloadfont() function. This flaw allows a remote attacker to pass specially crafted data to the web application, trigger an out-of-bounds read error, and read the contents of memory on the system.

Recommendations

If you use the GD extension, and specifically its imageloadfont() function, you should upgrade to a patched version of PHP immediately.

Please note that this issue was only introduced in PHP 7.4; versions prior to that do not have the vulnerability.