CVE-2014-3478

Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.

Published: Jul 9, 2014
Updated: Nov 9, 2025
CVE: CVE-2014-3478
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
christos_zoulas / file	5.00	5.00.x
christos_zoulas / file	5.04	5.04.x
php / php	5.5.0-alpha1	5.5.0-alpha1.x
php / php	5.5.0-alpha3	5.5.0-alpha3.x
christos_zoulas / file	5.10	5.10.x
php / php	5.4.12-rc1	5.4.12-rc1.x
php / php	5.4.15-rc1	5.4.15-rc1.x
php / php	5.5.0-beta3	5.5.0-beta3.x
php / php	5.4.12	5.4.12.x
christos_zoulas / file	5.07	5.07.x
php / php	5.5.0	5.5.0.x
php / php	5.4.19	5.4.19.x
php / php	5.5.1	5.5.1.x
christos_zoulas / file	5.02	5.02.x
php / php	5.5.5	5.5.5.x
christos_zoulas / file	5.03	5.03.x
christos_zoulas / file	5.11	5.11.x
php / php	5.4.14	5.4.14.x
php / php	5.4.8	5.4.8.x
php / php	5.4.17	5.4.17.x
php / php	5.4.14-rc1	5.4.14-rc1.x
php / php	5.5.7	5.5.7.x
php / php	5.5.0-beta1	5.5.0-beta1.x
christos_zoulas / file	5.16	5.16.x
php / php	5.4.12-rc2	5.4.12-rc2.x
christos_zoulas / file	5.12	5.12.x
php / php	5.4.22	5.4.22.x
php / php	5.4.9	5.4.9.x
php / php	5.4.11	5.4.11.x
christos_zoulas / file	5.17	5.17.x
php / php	5.5.12	5.5.12.x
christos_zoulas / file	5.05	5.05.x
php / php	5.4.10	5.4.10.x
php / php	5.5.6	5.5.6.x
php / php	5.4.2	5.4.2.x
christos_zoulas / file	5.13	5.13.x
php / php	5.5.0-rc1	5.5.0-rc1.x
php / php	5.5.0-beta4	5.5.0-beta4.x
php / php	5.5.3	5.5.3.x
php / php	5.4.27	5.4.27.x
php / php	5.5.8	5.5.8.x
php / php	5.4.16-rc1	5.4.16-rc1.x
php / php	5.4.28	5.4.28.x
php / php	5.4.21	5.4.21.x
christos_zoulas / file	-	5.18.x
christos_zoulas / file	5.14	5.14.x
php / php	5.4.5	5.4.5.x
php / php	-	5.4.29.x
php / php	5.4.26	5.4.26.x
php / php	5.5.0-alpha6	5.5.0-alpha6.x
php / php	5.5.0-beta2	5.5.0-beta2.x
php / php	5.5.11	5.5.11.x
php / php	5.5.13	5.5.13.x
php / php	5.5.4	5.5.4.x
php / php	5.4.24	5.4.24.x
christos_zoulas / file	5.01	5.01.x
php / php	5.4.23	5.4.23.x
php / php	5.4.6	5.4.6.x
christos_zoulas / file	5.08	5.08.x
php / php	5.4.13	5.4.13.x
php / php	5.5.0-alpha4	5.5.0-alpha4.x
php / php	5.4.0	5.4.0.x
php / php	5.4.3	5.4.3.x
php / php	5.4.18	5.4.18.x
christos_zoulas / file	5.06	5.06.x
php / php	5.5.10	5.5.10.x
php / php	5.5.0-alpha5	5.5.0-alpha5.x
php / php	5.4.1	5.4.1.x
php / php	5.4.13-rc1	5.4.13-rc1.x
christos_zoulas / file	5.15	5.15.x
php / php	5.4.20	5.4.20.x
php / php	5.5.0-alpha2	5.5.0-alpha2.x
christos_zoulas / file	5.09	5.09.x
php / php	5.4.25	5.4.25.x
php / php	5.4.7	5.4.7.x
php / php	5.4.4	5.4.4.x
php / php	5.5.2	5.5.2.x
php / php	5.5.0-rc2	5.5.0-rc2.x
php / php	5.5.9	5.5.9.x

Vulnerability Database

313,825

CVE-2014-3478

Deep Security Visibility Without the Complexity