VIR Vulnerability Intelligence Relay

CVE-2017-12933

critical
Published 2017-08-18 · Modified 2026-05-13
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-12933.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugs.php.net/bug.php?id=74111

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://php.net/ChangeLog-7.php

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://php.net/ChangeLog-5.php

OS impact
OSVersionStatusFixed in
suse slesaffected

Application impact
VendorProductVersionsFixed
php phpphp{"endIncluding":"5.6.30"}
php phpphp7.0.0
php phpphp7.0.1
php phpphp7.0.2
php phpphp7.0.3
php phpphp7.0.4
php phpphp7.0.5
php phpphp7.0.6
php phpphp7.0.7
php phpphp7.0.8
php phpphp7.0.9
php phpphp7.0.10
php phpphp7.0.11
php phpphp7.0.12
php phpphp7.0.13
php phpphp7.0.14
php phpphp7.0.15
php phpphp7.0.16
php phpphp7.0.17
php phpphp7.0.18
php phpphp7.0.19
php phpphp7.0.20
php phpphp7.1.0
php phpphp7.1.1
php phpphp7.1.2
php phpphp7.1.3
php phpphp7.1.4
php phpphp7.1.5
php phpphp7.1.6

References

CWEs

CWE-125

Verify integrity in audit chain (admin only). AS-IS.