vulnerability
PHP Vulnerability: CVE-2019-9023
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Feb 22, 2019 | Feb 27, 2019 | Aug 11, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Feb 22, 2019
Added
Feb 27, 2019
Modified
Aug 11, 2025
Description
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
Solutions
php-upgrade-5_6_40php-upgrade-7_2_14php-upgrade-7_3_1
References
- CVE-2019-9023
- https://attackerkb.com/topics/CVE-2019-9023
- CWE-125
- URL-https://bugs.php.net/bug.php?id=77370
- URL-https://bugs.php.net/bug.php?id=77371
- URL-https://bugs.php.net/bug.php?id=77381
- URL-https://bugs.php.net/bug.php?id=77382
- URL-https://bugs.php.net/bug.php?id=77385
- URL-https://bugs.php.net/bug.php?id=77394
- URL-https://bugs.php.net/bug.php?id=77418
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.