CVE-2023-3824

In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

Published: Aug 11, 2023
Updated: May 4, 2025
CVE: CVE-2023-3824
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
php / php	8.1.0	8.1.22
php / php	8.0.0	8.0.30
php / php	8.2.0	8.2.9
fedoraproject / fedora	38	38.x
debian / debian_linux	10.0	10.0.x

https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv
https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/
https://security.netapp.com/advisory/ntap-20230825-0001/

Vulnerability Database

289,599

CVE-2023-3824