CVE-2024-11235

Reference counting in `php_request_shutdown` causes Use-After-Free.

Publication Date	2025-03-14
Severity	Critical
Type	Cross-Site Request Forgery
Affected PHP Versions	8.3.0-8.3.18 8.4.0-8.4.4
Fixed Product Versions	ZendPHP 8.3 ZendPHP 8.4

CVE Details

A vulnerability classified as critical was found in PHP up to 8.3.18/8.4.4. Affected by this vulnerability is the function php_request_shutdown. The manipulation with an unknown input leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. As an impact it is known to affect confidentiality, integrity, and availability.

Recommendations

There is no known workaround for CVE-2024-11235; We recommend upgrading to a known patched version of PHP.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations