The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
{ "vanir_signatures": [ { "target": { "function": "PHP_FUNCTION", "file": "ext/standard/var.c" }, "id": "CVE-2016-9936-2952288b", "source": "https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17", "digest": { "length": 1359.0, "function_hash": "163919097064633431796530038461789854321" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "file": "ext/standard/var.c" }, "id": "CVE-2016-9936-f3e232d1", "source": "https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17", "digest": { "line_hashes": [ "133989500739335572472180032269523616631", "173228499048002006869839265895117904363", "95121896849577457867629478963211194495", "254468547754406526900685380808396410134", "153463431164748890972706278510094346576", "103883253828014354123734651881652682809", "238212126955117088207755555621992359151", "183778622276609806544846706656325486230", "291192368226972925913862946723788043006", "22621044917867938151649954650092987150", "186110557801505398965595665184621792723", "51186678585003836062752315817643824194", "228010155175261472109359796944335067227", "290710052435613427613634166377691638508", "262468581539918285098718900042987560333", "185226242802965103332539239777109399071", "202958032855601595112416626134764678655", "300654735560524647184259634826314879885", "87478514085775468505125296944991706113", "57831444154340155485902311915043449904", "25353185225585869047164964247354820544" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false } ] }