CVE-2016-7126
First published: Mon Sep 12 2016(Updated: )
The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of service (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a large value in the third argument.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP | <7.0.10 | 7.0.10 |
| PHP | =7.0.0 | |
| PHP | =7.0.1 | |
| PHP | =7.0.2 | |
| PHP | =7.0.3 | |
| PHP | =7.0.4 | |
| PHP | =7.0.5 | |
| PHP | =7.0.6 | |
| PHP | =7.0.7 | |
| PHP | =7.0.8 | |
| PHP | =7.0.9 | |
| PHP | <=5.6.24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://openwall.com/lists/oss-security/2016/09/02/9
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://www.php.net/ChangeLog-5.php
- http://www.php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/92755
- http://www.securitytracker.com/id/1036680
- https://bugs.php.net/bug.php?id=72697
- https://github.com/php/php-src/commit/28022c9b1fd937436ab67bb3d61f652c108baf96
- https://github.com/php/php-src/commit/b6f13a5ef9d6280cf984826a5de012a32c396cd4?w=1
- https://security.gentoo.org/glsa/201611-22
- https://www.tenable.com/security/tns-2016-19
- https://www.php.net/ChangeLog-7.php#7.0.10 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-7126?
CVE-2016-7126 has a severity rating that indicates the potential for denial of service due to an allocation error and out-of-bounds write.
How do I fix CVE-2016-7126?
To fix CVE-2016-7126, upgrade your PHP installation to version 5.6.25 or later, or version 7.0.10 or later.
Which versions of PHP are affected by CVE-2016-7126?
CVE-2016-7126 affects PHP versions prior to 5.6.25 and 7.0.10, including versions 5.6.24 and earlier for the 5.x series, and 7.0.9 and earlier for the 7.x series.
What are the potential impacts of CVE-2016-7126?
The potential impacts of CVE-2016-7126 include denial of service attacks caused by allocation errors or out-of-bounds writes.
Who can exploit CVE-2016-7126?
CVE-2016-7126 can be exploited by remote attackers to trigger denial of service vulnerabilities.
- agent/type
- agent/remedy
- agent/softwarecombine
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/php
- canonical/php
- version/php/7.0.0
- version/php/7.0.1
- version/php/7.0.2
- version/php/7.0.3
- version/php/7.0.4
- version/php/7.0.5
- version/php/7.0.6
- version/php/7.0.7
- version/php/7.0.8
- version/php/7.0.9
- version/php/5.6.24