CVE-2022-31630

MEDIUM

PHP <7.4.33, 8.0.25, 8.1.12 - Memory Corruption

Title source: llm

Description

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

Exploits (2)

nomisec WORKING POC 1 stars

by sepkascurty-cpu · poc

https://github.com/sepkascurty-cpu/php-exploit_cve-2022-31630

View Code ZIP pw:eip

nomisec WRITEUP 1 stars

by sepkascurty-cpu · poc

https://github.com/sepkascurty-cpu/CVE-2022-31630---Proof-of-Concept-Exploit-untuk-PHP-7.4.33

View Code ZIP pw:eip

References (1)

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://bugs.php.net/bug.php?id=81739

Scores

CVSS v3 6.5

EPSS 0.0007

EPSS Percentile 20.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Details

CWE

CWE-190 CWE-125 CWE-131

Status published

Products (1)

php/php 7.4.0 - 7.4.33

Published Nov 14, 2022

Tracked Since Feb 18, 2026