VIR Vulnerability Intelligence Relay

CVE-2017-12932

critical
Published 2017-08-18 · Modified 2026-05-13
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-12932.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugs.php.net/bug.php?id=74103

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://php.net/ChangeLog-7.php

OS impact
OSVersionStatusFixed in
suse slesaffected

Application impact
VendorProductVersionsFixed
php phpphp7.0.0
php phpphp7.0.1
php phpphp7.0.2
php phpphp7.0.3
php phpphp7.0.4
php phpphp7.0.5
php phpphp7.0.6
php phpphp7.0.7
php phpphp7.0.8
php phpphp7.0.9
php phpphp7.0.10
php phpphp7.0.11
php phpphp7.0.12
php phpphp7.0.13
php phpphp7.0.14
php phpphp7.0.15
php phpphp7.0.16
php phpphp7.0.17
php phpphp7.0.18
php phpphp7.0.19
php phpphp7.0.20
php phpphp7.0.21
php phpphp7.0.22
php phpphp7.1.0
php phpphp7.1.1
php phpphp7.1.2
php phpphp7.1.3
php phpphp7.1.4
php phpphp7.1.5
php phpphp7.1.6
php phpphp7.1.7
php phpphp7.1.8

References

CWEs

CWE-416

Verify integrity in audit chain (admin only). AS-IS.