VIR Vulnerability Intelligence Relay

CVE-2014-9912

critical
Published 2017-01-04 · Modified 2026-05-06
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugzilla.redhat.com/show_bug.cgi?id=1383569

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugs.php.net/bug.php?id=67397

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://www.php.net/ChangeLog-5.php

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-9912.html

OS impact
OSVersionStatusFixed in
suse slesaffected

Application impact
VendorProductVersionsFixed
phpphp5.4.8
phpphp{"endIncluding":"5.3.28"}
phpphp5.4.0
phpphp5.4.1
phpphp5.4.2
phpphp5.4.3
phpphp5.4.4
phpphp5.4.5
phpphp5.4.6
phpphp5.4.7
phpphp5.4.9
phpphp5.4.10
phpphp5.4.11
phpphp5.4.12
phpphp5.4.13
phpphp5.4.14
phpphp5.4.15
phpphp5.4.16
phpphp5.4.17
phpphp5.4.18
phpphp5.4.19
phpphp5.4.20
phpphp5.4.21
phpphp5.4.22
phpphp5.4.23
phpphp5.4.24
phpphp5.4.25
phpphp5.4.26
phpphp5.4.27
phpphp5.4.28
phpphp5.4.29
phpphp5.5.0
phpphp5.5.1
phpphp5.5.2
phpphp5.5.3
phpphp5.5.4
phpphp5.5.5
phpphp5.5.6
phpphp5.5.7
phpphp5.5.8
phpphp5.5.9
phpphp5.5.10
phpphp5.5.11
phpphp5.5.12
phpphp5.5.13

References

CWEs

CWE-119

Verify integrity in audit chain (admin only). AS-IS.