CVE-2011-1938

PHP 5.3.3-5.3.6 - Stack-Based Buffer Overflow in socket_connect

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-1938. PoCs published by Jonathan Salwan, Marek Kroemeke.

AI-analyzed exploit summary This exploit leverages a stack-based buffer overflow in PHP's socket_connect function (CVE-2011-1938) to execute arbitrary code via a crafted UNIX socket pathname. It uses ROP gadgets to bypass protections and spawn a shell.

Description

Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Jonathan Salwan · phplocalmultiple
https://www.exploit-db.com/exploits/17486

This exploit leverages a stack-based buffer overflow in PHP's socket_connect function (CVE-2011-1938) to execute arbitrary code via a crafted UNIX socket pathname. It uses ROP gadgets to bypass protections and spawn a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PHP 5.3.3 through 5.3.6
No auth needed
Prerequisites: PHP 5.3.3-5.3.6 with sockets extension enabled · Ability to execute PHP code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Marek Kroemeke · phplocalmultiple
https://www.exploit-db.com/exploits/17318

This exploit targets a buffer overflow vulnerability in PHP 5.3.3-5.3.6 (CVE-2011-1938) by creating a large NOP sled followed by shellcode to execute arbitrary commands. It attempts to trigger the overflow via a socket connection to a crafted address.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: PHP 5.3.3-5.3.6
No auth needed
Prerequisites: PHP 5.3.3-5.3.6 installed · Ability to execute PHP scripts on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Vendor Advisory x_refsource_confirm
http://www.php.net/archive/2011.php#id2011-08-18-1
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=133469208622507&w=2
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5130
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/49241
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:165
Patch mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/05/24/9
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2399
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/72644
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8294
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/17318/
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1423.html
Vendor Advisory x_refsource_confirm
http://www.php.net/ChangeLog-5.php#5.3.7
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8262
Patch mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/05/24/1
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/67606

Scores

EPSS 0.2272
EPSS Percentile 97.4%

Details

CWE
CWE-119
Status published
Products (4)
php/php 5.3.3
php/php 5.3.4
php/php 5.3.5
php/php 5.3.6
Published May 31, 2011
Tracked Since Feb 18, 2026