CVE-2015-0273

PHP < 5.4.38, 5.5.x < 5.5.22, 5.6.x < 5.6.6 - Use-After-Free via Crafted Serialized DateTime Data

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-0273. PoCs published by Taoguang Chen.

AI-analyzed exploit summary This exploit leverages a use-after-free vulnerability in PHP's unserialize() function with DateTimeZone objects to achieve arbitrary code execution. The PoC demonstrates memory corruption by manipulating references to freed objects, allowing an attacker to execute shell commands.

Description

Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.

Exploits (1)

exploitdb WORKING POC

by Taoguang Chen · textdosphp

https://www.exploit-db.com/exploits/36158

View Code ZIP pw:eip

This exploit leverages a use-after-free vulnerability in PHP's unserialize() function with DateTimeZone objects to achieve arbitrary code execution. The PoC demonstrates memory corruption by manipulating references to freed objects, allowing an attacker to execute shell commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: PHP 5.6 < 5.6.6, PHP 5.5 < 5.5.22, PHP 5.4 < 5.4.38

No auth needed

Prerequisites: PHP installation with vulnerable version · Ability to pass untrusted input to unserialize()

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (28)

Core 28

Core References

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2015/dsa-3195

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2535-1

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=144050155601375&w=2

Exploit x_refsource_confirm

https://bugs.php.net/bug.php?id=68942

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=143748090628601&w=2

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2015:079

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00004.html

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=143403519711434&w=2

Various Sources x_refsource_confirm

http://php.net/ChangeLog-5.php

Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1194730

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1031945

Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT204942

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/72701

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00002.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1053.html

Various Sources x_refsource_confirm

http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=71335e6ebabc1b12c057d8017fd811892ecdfd24

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201606-10

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1066.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1218.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1135.html

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT205375

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT205267

Scores

EPSS 0.4132

EPSS Percentile 98.5%

Details

Status published

Products (29)

php/php 5.5.0 (13 CPE variants)

php/php 5.5.1

php/php 5.5.2

php/php 5.5.3

php/php 5.5.4

php/php 5.5.5

php/php 5.5.6

php/php 5.5.7

php/php 5.5.8

php/php 5.5.9

... and 19 more

Published Mar 30, 2015

Tracked Since Feb 18, 2026