What is the severity of CVE-2016-6297?

CVE-2016-6297 is rated as a high severity vulnerability, allowing for denial of service and potential exploitation through crafted zip URLs.

How do I fix CVE-2016-6297?

To fix CVE-2016-6297, upgrade PHP to at least version 5.5.38, 5.6.24, or 7.0.9.

What causes the CVE-2016-6297 vulnerability?

The CVE-2016-6297 vulnerability is caused by an integer overflow in the php_stream_zip_opener function within the zip extension of PHP.

Which versions of PHP are affected by CVE-2016-6297?

CVE-2016-6297 affects PHP versions before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9.

What are the potential impacts of CVE-2016-6297?

The potential impacts of CVE-2016-6297 include stack-based buffer overflow leading to denial of service or other unspecified impacts.

Vulnerability/
CVE-2016-6297

high

8.8

CWE

119 190

25/7/2016

6/8/2024

CVE-2016-6297: Buffer Overflow

First published: Mon Jul 25 2016(Updated: )

Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
PHP	<7.0.9	7.0.9
PHP	<=5.5.37
PHP	=5.6.0-alpha1
PHP	=5.6.0-alpha2
PHP	=5.6.0-alpha3
PHP	=5.6.0-alpha4
PHP	=5.6.0-alpha5
PHP	=5.6.0-beta1
PHP	=5.6.0-beta2
PHP	=5.6.0-beta3
PHP	=5.6.0-beta4
PHP	=5.6.1
PHP	=5.6.2
PHP	=5.6.3
PHP	=5.6.4
PHP	=5.6.5
PHP	=5.6.6
PHP	=5.6.7
PHP	=5.6.8
PHP	=5.6.9
PHP	=5.6.10
PHP	=5.6.11
PHP	=5.6.12
PHP	=5.6.13
PHP	=5.6.14
PHP	=5.6.15
PHP	=5.6.16
PHP	=5.6.17
PHP	=5.6.18
PHP	=5.6.19
PHP	=5.6.20
PHP	=5.6.21
PHP	=5.6.22
PHP	=5.6.23
PHP	=7.0.0
PHP	=7.0.1
PHP	=7.0.2
PHP	=7.0.3
PHP	=7.0.4
PHP	=7.0.5
PHP	=7.0.6
PHP	=7.0.7
PHP	=7.0.8

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2016-6297?
CVE-2016-6297 is rated as a high severity vulnerability, allowing for denial of service and potential exploitation through crafted zip URLs.
How do I fix CVE-2016-6297?
To fix CVE-2016-6297, upgrade PHP to at least version 5.5.38, 5.6.24, or 7.0.9.
What causes the CVE-2016-6297 vulnerability?
The CVE-2016-6297 vulnerability is caused by an integer overflow in the php_stream_zip_opener function within the zip extension of PHP.
Which versions of PHP are affected by CVE-2016-6297?
CVE-2016-6297 affects PHP versions before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9.
What are the potential impacts of CVE-2016-6297?
The potential impacts of CVE-2016-6297 include stack-based buffer overflow leading to denial of service or other unspecified impacts.

agent/type
agent/weakness
agent/softwarecombine
agent/severity
agent/author
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/references
agent/event
agent/first-publish-date
agent/source
agent/tags
collector/php-changelog
source/PHP
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/php
canonical/php
version/php/5.5.37
version/php/5.6.0-alpha1
version/php/5.6.0-alpha2
version/php/5.6.0-alpha3
version/php/5.6.0-alpha4
version/php/5.6.0-alpha5
version/php/5.6.0-beta1
version/php/5.6.0-beta2
version/php/5.6.0-beta3
version/php/5.6.0-beta4
version/php/5.6.1
version/php/5.6.2
version/php/5.6.3
version/php/5.6.4
version/php/5.6.5
version/php/5.6.6
version/php/5.6.7
version/php/5.6.8
version/php/5.6.9
version/php/5.6.10
version/php/5.6.11
version/php/5.6.12
version/php/5.6.13
version/php/5.6.14
version/php/5.6.15
version/php/5.6.16
version/php/5.6.17
version/php/5.6.18
version/php/5.6.19
version/php/5.6.20
version/php/5.6.21
version/php/5.6.22
version/php/5.6.23
version/php/7.0.0
version/php/7.0.1
version/php/7.0.2
version/php/7.0.3
version/php/7.0.4
version/php/7.0.5
version/php/7.0.6
version/php/7.0.7
version/php/7.0.8