CVE-2022-31625

HIGH

PHP <7.4.30-8.0.20-8.1.7 - Use After Free

Title source: llm

Description

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

References (7)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5179

[Third Party Advisory] https://security.gentoo.org/glsa/202209-20

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html

[Exploit, Issue Tracking, Mailing List, Patch, Vendor Advisory] https://bugs.php.net/bug.php?id=81720

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220722-0005/

Scores

CVSS v3 8.1

EPSS 0.0077

EPSS Percentile 73.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-590 CWE-763 CWE-824

Status published

Products (3)

debian/debian_linux 10.0

debian/debian_linux 11.0

php/php 7.4.0 - 7.4.30

Published Jun 16, 2022

Tracked Since Feb 18, 2026