Description
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5179
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202209-20
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
Exploit, Issue Tracking, Mailing List, Patch, Vendor Advisory
https://bugs.php.net/bug.php?id=81720
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220722-0005/
Scores
CVSS v3
8.1
EPSS
0.0344
EPSS Percentile
87.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-590
CWE-763
CWE-824
Status
published
Products (3)
debian/debian_linux
10.0
debian/debian_linux
11.0
php/php
7.4.0 - 7.4.30
Published
Jun 16, 2022
Tracked Since
Feb 18, 2026