CVE-2016-10161

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-10161
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10161.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-10161
Downstream
Related
Published
2017-01-24T21:59:00Z
Modified
2025-10-15T07:54:39.396265Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finishnesteddata call.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
16b3003ffc6393e250f069aa28a78dc5a2c064b2

Affected versions

Other

NEWS
NEWS-cvs2svn

php-5.*

php-5.3.23RC1
php-5.3.29
php-5.3.29RC1
php-5.4.30RC1
php-5.4.32RC1
php-5.4.4RC2
php-5.5.24RC1
php-5.6.18RC1
php-5.6.19RC1
php-5.6.22RC1
php-5.6.23RC1
php-5.6.24RC1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
        "id": "CVE-2016-10161-3b9c5256",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "object_common1",
            "file": "ext/standard/var_unserializer.c"
        },
        "digest": {
            "function_hash": "102014736888371947073622309327152596049",
            "length": 313.0
        }
    },
    {
        "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
        "id": "CVE-2016-10161-d7bff264",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "ext/standard/var_unserializer.c"
        },
        "digest": {
            "line_hashes": [
                "156659818536995479401509881781153512977",
                "332411611261216109036119952550949627613",
                "175154365176312667493289913859517617239",
                "292808490699705175769846566855350577236",
                "204434093787147435695643524830940913973",
                "320404238966101544780012746116739028271",
                "254394193571028949476121628024199669157",
                "115826316860869632762850898256170057526",
                "288492443928640837034179369550419455465",
                "133597691269487802737759265767477076106",
                "133241928916394438999813332856060650490",
                "309069877246144241021183162857731752804",
                "300149141241140382422723902163337113949",
                "14537897399130975906325317205706474113",
                "135217159720101803264493392694616503520",
                "185283076345212462460319318519649780313",
                "108619621929876402586697073964540229436",
                "170971560399662829679597257279898093945",
                "94274429891472346158462649840890783608",
                "252924041623091431529690206662692415087",
                "135128096153015951808915615995313681469",
                "131619494778740792699116875231065282177",
                "317618530951820823023060414865401146756",
                "290489602454746427164461411655086850817",
                "148091462504421943564866916766665278755",
                "209812401911288028761332120089306364792",
                "248469110157997342180112564542801052355",
                "70020660201742646952249257863737609102",
                "301943635684423793388392119989171192422",
                "40252293043020688685497495068642280938",
                "91594551533227649248260845118997565747",
                "214007313744332650750185026050483657036",
                "111319538503803771628706851971394481706",
                "244404457169388937967563546267485743000",
                "51764611741152284502137778962470086133",
                "121211149818397940948596097403179740791",
                "124549686909994422343267069861448504208",
                "86604770935606210151290431002680849145",
                "322295431206784981122893089000068246954",
                "144854636401275310515902943222557455535",
                "240376856352271781753213191599085365136",
                "75389880859964568614716422307806993942",
                "131394561621523499781273345186884665026",
                "269344781322131441083608982517773901734",
                "63715437653235278129229794125032662148",
                "116832660271284920756294505450241968017",
                "25968016611702531840726495991311735263",
                "48314656578202292035288425544720254354",
                "81268529378724751960807935402108811495",
                "242903849568173550314315686971900602004",
                "289952286420159641552369844466606222201",
                "219777442382589674082647241951381047968",
                "203512797816867684133096412369260062681",
                "83316624676644098589983353475335242517",
                "222615053622175322934130995245001132284",
                "296323254794011160863202133311018479720",
                "317804225334766029110804062146121860382",
                "186664742860248452216040960675085258063",
                "278428620155752142638995760764112252093",
                "164756599401284224735253047706912681131",
                "236277780640987173307473841942057651246",
                "131453700100823837398392671304147153945",
                "93377686039681326460382529325332090830",
                "252642025292617061297567034208787785854",
                "105837189904120547275578161330148719999",
                "122695124371188015545299777422713641247",
                "106690670692583702481938425110489899852",
                "304119051236576772722763469777272013806",
                "28887068261345770513340006360061472811",
                "26280133394899063511596617912024520866",
                "307544587225187099823242738742231964521",
                "319581235034079905796705509909439236663",
                "162463844005770259670660752817855738370",
                "281966980067648074142240566543507404698",
                "294192437121896453685798446473529735239",
                "332362950513434373589925779088976557318",
                "108481352702888374011932934116500558828",
                "313438773159103981145298018448890417611",
                "219156078207585343436216815655929233414",
                "276214493963318764412424534748639683905",
                "41472256311408623347091202367731237368",
                "340226588820199043384612652998513531703",
                "303008292955944647144697137037776545327",
                "224866211994852054833883023846344453355",
                "85904425184399690027432215477446959133",
                "68308686890663402683343305057866492833",
                "186284636420507909642181281237471146931",
                "47097122779524089833671815772292756884",
                "37678903134115544278786524366861534611",
                "95113748457258960652270451863821414665",
                "323258015265784422023455444648171044409",
                "179747643586564489227379687069668531891",
                "242635727781932376784849390327411636973",
                "246219371449065516249945285850096598908",
                "111031523661467018242541877133279896151",
                "41425997854386759240047914135191211728",
                "153603517312343001461786959562384503529",
                "303177413990508647812165651295005986045",
                "184928466765896983686724124135951223638",
                "208332658735844803438330063883868864534",
                "111664045586250202426077714417272175202",
                "52745000606477910756160017957810204591",
                "51388981653003571918957703208683824275",
                "194469745212707854925036397979089728118",
                "84383999315842369499585587257702349447",
                "162028921666032764772388315493565288507",
                "51822975246475781917709858843502398203",
                "111330423438275767697563063323763280383",
                "326389986972610958986243871476829569596",
                "44401052975791225495741697253619455363",
                "313570138683617402028941989883696069615",
                "325169024165300323148198388953566181754",
                "322407698099982339444906360000862459888",
                "43093420482722734695652864146531921571",
                "102397668688437072526612661462575961794",
                "49457835069486511479137183234573342579",
                "297220464977272875635183875237861531565",
                "149330455243355885366588866922312608332",
                "289901322037952959099632678126383520970",
                "158275766494886894846308081583175902083",
                "244483168919666275356027592949487377141",
                "95589939382653840870153607230996668198",
                "96413379463859426235342842489805942111",
                "175295321965973290456496374677676168607",
                "73548063894324940807259246949041291648",
                "283637413765299367478168749713634756015",
                "169983434125104900482280482422699795451",
                "144324876620989193981448371400489921546",
                "216519841270810782881753630797795169707",
                "91468875349476294403202370719769848254",
                "152268322992391752766634161049229233651",
                "251449454170298881274153760483186219867",
                "328106744939042563559879595229177638190",
                "166814590317547466466707822212784960674"
            ],
            "threshold": 0.9
        }
    },
    {
        "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
        "id": "CVE-2016-10161-f5aaf487",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "php_var_unserialize",
            "file": "ext/standard/var_unserializer.c"
        },
        "digest": {
            "function_hash": "198732413940183559551554626991973413187",
            "length": 17379.0
        }
    }
]