CVE-2016-10161

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-10161
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10161.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-10161
Downstream
Related
Published
2017-01-24T21:59:00Z
Modified
2025-09-19T08:08:49.945301Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finishnesteddata call.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
16b3003ffc6393e250f069aa28a78dc5a2c064b2

Affected versions

Other

NEWS
NEWS-cvs2svn

php-5.*

php-5.3.23RC1
php-5.3.29
php-5.3.29RC1
php-5.4.30RC1
php-5.4.32RC1
php-5.4.4RC2
php-5.5.24RC1
php-5.6.18RC1
php-5.6.19RC1
php-5.6.22RC1
php-5.6.23RC1
php-5.6.24RC1

Database specific 

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "target": {
                "function": "object_common1",
                "file": "ext/standard/var_unserializer.c"
            },
            "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
            "signature_type": "Function",
            "id": "CVE-2016-10161-3b9c5256",
            "signature_version": "v1",
            "digest": {
                "function_hash": "102014736888371947073622309327152596049",
                "length": 313.0
            }
        },
        {
            "deprecated": false,
            "target": {
                "file": "ext/standard/var_unserializer.c"
            },
            "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
            "signature_type": "Line",
            "id": "CVE-2016-10161-d7bff264",
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "156659818536995479401509881781153512977",
                    "332411611261216109036119952550949627613",
                    "175154365176312667493289913859517617239",
                    "292808490699705175769846566855350577236",
                    "204434093787147435695643524830940913973",
                    "320404238966101544780012746116739028271",
                    "254394193571028949476121628024199669157",
                    "115826316860869632762850898256170057526",
                    "288492443928640837034179369550419455465",
                    "133597691269487802737759265767477076106",
                    "133241928916394438999813332856060650490",
                    "309069877246144241021183162857731752804",
                    "300149141241140382422723902163337113949",
                    "14537897399130975906325317205706474113",
                    "135217159720101803264493392694616503520",
                    "185283076345212462460319318519649780313",
                    "108619621929876402586697073964540229436",
                    "170971560399662829679597257279898093945",
                    "94274429891472346158462649840890783608",
                    "252924041623091431529690206662692415087",
                    "135128096153015951808915615995313681469",
                    "131619494778740792699116875231065282177",
                    "317618530951820823023060414865401146756",
                    "290489602454746427164461411655086850817",
                    "148091462504421943564866916766665278755",
                    "209812401911288028761332120089306364792",
                    "248469110157997342180112564542801052355",
                    "70020660201742646952249257863737609102",
                    "301943635684423793388392119989171192422",
                    "40252293043020688685497495068642280938",
                    "91594551533227649248260845118997565747",
                    "214007313744332650750185026050483657036",
                    "111319538503803771628706851971394481706",
                    "244404457169388937967563546267485743000",
                    "51764611741152284502137778962470086133",
                    "121211149818397940948596097403179740791",
                    "124549686909994422343267069861448504208",
                    "86604770935606210151290431002680849145",
                    "322295431206784981122893089000068246954",
                    "144854636401275310515902943222557455535",
                    "240376856352271781753213191599085365136",
                    "75389880859964568614716422307806993942",
                    "131394561621523499781273345186884665026",
                    "269344781322131441083608982517773901734",
                    "63715437653235278129229794125032662148",
                    "116832660271284920756294505450241968017",
                    "25968016611702531840726495991311735263",
                    "48314656578202292035288425544720254354",
                    "81268529378724751960807935402108811495",
                    "242903849568173550314315686971900602004",
                    "289952286420159641552369844466606222201",
                    "219777442382589674082647241951381047968",
                    "203512797816867684133096412369260062681",
                    "83316624676644098589983353475335242517",
                    "222615053622175322934130995245001132284",
                    "296323254794011160863202133311018479720",
                    "317804225334766029110804062146121860382",
                    "186664742860248452216040960675085258063",
                    "278428620155752142638995760764112252093",
                    "164756599401284224735253047706912681131",
                    "236277780640987173307473841942057651246",
                    "131453700100823837398392671304147153945",
                    "93377686039681326460382529325332090830",
                    "252642025292617061297567034208787785854",
                    "105837189904120547275578161330148719999",
                    "122695124371188015545299777422713641247",
                    "106690670692583702481938425110489899852",
                    "304119051236576772722763469777272013806",
                    "28887068261345770513340006360061472811",
                    "26280133394899063511596617912024520866",
                    "307544587225187099823242738742231964521",
                    "319581235034079905796705509909439236663",
                    "162463844005770259670660752817855738370",
                    "281966980067648074142240566543507404698",
                    "294192437121896453685798446473529735239",
                    "332362950513434373589925779088976557318",
                    "108481352702888374011932934116500558828",
                    "313438773159103981145298018448890417611",
                    "219156078207585343436216815655929233414",
                    "276214493963318764412424534748639683905",
                    "41472256311408623347091202367731237368",
                    "340226588820199043384612652998513531703",
                    "303008292955944647144697137037776545327",
                    "224866211994852054833883023846344453355",
                    "85904425184399690027432215477446959133",
                    "68308686890663402683343305057866492833",
                    "186284636420507909642181281237471146931",
                    "47097122779524089833671815772292756884",
                    "37678903134115544278786524366861534611",
                    "95113748457258960652270451863821414665",
                    "323258015265784422023455444648171044409",
                    "179747643586564489227379687069668531891",
                    "242635727781932376784849390327411636973",
                    "246219371449065516249945285850096598908",
                    "111031523661467018242541877133279896151",
                    "41425997854386759240047914135191211728",
                    "153603517312343001461786959562384503529",
                    "303177413990508647812165651295005986045",
                    "184928466765896983686724124135951223638",
                    "208332658735844803438330063883868864534",
                    "111664045586250202426077714417272175202",
                    "52745000606477910756160017957810204591",
                    "51388981653003571918957703208683824275",
                    "194469745212707854925036397979089728118",
                    "84383999315842369499585587257702349447",
                    "162028921666032764772388315493565288507",
                    "51822975246475781917709858843502398203",
                    "111330423438275767697563063323763280383",
                    "326389986972610958986243871476829569596",
                    "44401052975791225495741697253619455363",
                    "313570138683617402028941989883696069615",
                    "325169024165300323148198388953566181754",
                    "322407698099982339444906360000862459888",
                    "43093420482722734695652864146531921571",
                    "102397668688437072526612661462575961794",
                    "49457835069486511479137183234573342579",
                    "297220464977272875635183875237861531565",
                    "149330455243355885366588866922312608332",
                    "289901322037952959099632678126383520970",
                    "158275766494886894846308081583175902083",
                    "244483168919666275356027592949487377141",
                    "95589939382653840870153607230996668198",
                    "96413379463859426235342842489805942111",
                    "175295321965973290456496374677676168607",
                    "73548063894324940807259246949041291648",
                    "283637413765299367478168749713634756015",
                    "169983434125104900482280482422699795451",
                    "144324876620989193981448371400489921546",
                    "216519841270810782881753630797795169707",
                    "91468875349476294403202370719769848254",
                    "152268322992391752766634161049229233651",
                    "251449454170298881274153760483186219867",
                    "328106744939042563559879595229177638190",
                    "166814590317547466466707822212784960674"
                ]
            }
        },
        {
            "deprecated": false,
            "target": {
                "function": "php_var_unserialize",
                "file": "ext/standard/var_unserializer.c"
            },
            "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
            "signature_type": "Function",
            "id": "CVE-2016-10161-f5aaf487",
            "signature_version": "v1",
            "digest": {
                "function_hash": "198732413940183559551554626991973413187",
                "length": 17379.0
            }
        }
    ]
}