EIP-2026-104664

PRE-CVE

PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104664. PoCs published by Taoguang Chen.

AI-analyzed exploit summary This exploit demonstrates a use-after-free vulnerability in PHP's unserialize() function with Serializable classes, allowing arbitrary memory manipulation and potential remote code execution. The PoC leverages crafted serialized data to free memory and then reference it, creating a controlled use-after-free condition.

Description

PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free

Exploits (1)

exploitdb WORKING POC

by Taoguang Chen · textdosphp

https://www.exploit-db.com/exploits/38125

View Code ZIP pw:eip

This exploit demonstrates a use-after-free vulnerability in PHP's unserialize() function with Serializable classes, allowing arbitrary memory manipulation and potential remote code execution. The PoC leverages crafted serialized data to free memory and then reference it, creating a controlled use-after-free condition.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP 5.4 < 5.4.44, PHP 5.5 < 5.5.28, PHP 5.6 < 5.6.12

No auth needed

Prerequisites: PHP installation with vulnerable version · Ability to pass crafted serialized data to unserialize()

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026