The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.
Threat-Mapped Scoring
Score: 1.5
Priority: P4 - Informational (Low)
EPSS
Score: 0.06889Percentile:
0.90943
CVSS Scoring
CVSS v3.1 Score: 7.5
Severity: HIGH
Mapped CWE(s)
CWE-674
: Uncontrolled Recursion
All CAPEC(s)
CAPEC-230 : Serialized Data with Nested Payloads
CAPEC-231 : Oversized Serialized Data Payloads
CAPEC(s) with Mapped TTPs
Mapped ATT&CK TTPs
Affected Products
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
cpe:2.3:o:novell:suse_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:novell:suse_linux:10.1:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp1:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me