Vulnerability Description
The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | <= 5.6.4 |
Related Weaknesses (CWE)
References
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=a72cd07f2983dc43a6bb35209dc4687
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=ef89ab2f99fbd9b7b714556d4f1f506
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00079.html
- https://bugs.php.net/bug.php?id=68665Vendor Advisory
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=a72cd07f2983dc43a6bb35209dc4687
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=ef89ab2f99fbd9b7b714556d4f1f506
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00079.html
- https://bugs.php.net/bug.php?id=68665Vendor Advisory
FAQ
What is CVE-2014-9426?
CVE-2014-9426 is a vulnerability with a CVSS score of 7.3 (HIGH). The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attacker...
How severe is CVE-2014-9426?
CVE-2014-9426 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9426?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.