CVE-2015-6834

CRITICAL

PHP < 5.4.45 - Remote Code Execution via Unserialization Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-6834. PoCs published by Taoguang Chen.

AI-analyzed exploit summary This exploit demonstrates a use-after-free vulnerability in PHP's unserialize() function with SplObjectStorage, allowing arbitrary memory manipulation and potential remote code execution. The PoC crafts a serialized payload to trigger the vulnerability during deserialization.

Description

Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Taoguang Chen · textdosphp
https://www.exploit-db.com/exploits/38122

This exploit demonstrates a use-after-free vulnerability in PHP's unserialize() function with SplObjectStorage, allowing arbitrary memory manipulation and potential remote code execution. The PoC crafts a serialized payload to trigger the vulnerability during deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29, PHP 5.4 < 5.4.45
No auth needed
Prerequisites: PHP environment with vulnerable version · Ability to pass crafted serialized data to unserialize()
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Taoguang Chen · textdosphp
https://www.exploit-db.com/exploits/38120

This exploit demonstrates a use-after-free vulnerability in PHP's unserialize() function with SplDoublyLinkedList, allowing arbitrary memory manipulation and potential remote code execution. The PoC crafts a serialized payload to trigger the vulnerability and control memory via a fake ZVAL structure.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29, PHP 5.4 < 5.4.45
No auth needed
Prerequisites: PHP installation with vulnerable version · Ability to pass crafted serialized data to unserialize()
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Various Sources x_refsource_confirm
https://bugs.php.net/bug.php?id=70366
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033548
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76649
Various Sources x_refsource_confirm
http://php.net/ChangeLog-5.php
Various Sources x_refsource_confirm
https://bugs.php.net/bug.php?id=70365
Various Sources x_refsource_confirm
https://bugs.php.net/bug.php?id=70172
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3358
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201606-10

Scores

CVSS v3 9.8
EPSS 0.3545
EPSS Percentile 97.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (43)
php/php 5.5.0
php/php 5.5.1
php/php 5.5.2
php/php 5.5.3
php/php 5.5.4
php/php 5.5.5
php/php 5.5.6
php/php 5.5.7
php/php 5.5.8
php/php 5.5.9
... and 33 more
Published May 16, 2016
Tracked Since Feb 18, 2026