CVE-2022-31630

MEDIUM

PHP <7.4.33, 8.0.25, 8.1.12 - Memory Corruption

Title source: llm

Description

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

References (1)

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://bugs.php.net/bug.php?id=81739

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 18.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Classification

CWE

CWE-190 CWE-125 CWE-131

Status published

Affected Products (1)

php/php < 7.4.33

Timeline

Published Nov 14, 2022

Tracked Since Feb 18, 2026