CVE-2024-11235: PHP Use-After-Free Vulnerability in Versions 8.3.* and 8.4.* Leads to Potential Remote Code Execution

A use-after-free vulnerability, identified as CVE-2024-11235, has been discovered in PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5. Exploiting this vulnerability could potentially allow remote code execution if a third party can control the memory layout, for instance, by providing specially crafted inputs to the script. This vulnerability is tied to a code sequence that involves the __set handler or the ??= operator, along with exceptions.

Vulnerable Versions

PHP 8.3.* before 8.3.19
PHP 8.4.* before 8.4.5

Details

The use-after-free vulnerability (CVE-2024-11235) occurs when an inconsistent state occurs in the memory due to an exception being raised within the __set handler or the ??= operator within PHP scripts. The vulnerability arises due to the improper handling of objects and their properties when dealing with these constructs.

The following is a code snippet demonstrating this vulnerability

<?php
class VulnerableClass {
    public function __set($name, $value) {
        if ($name === "trigger") {
            throw new Exception("Exception triggered");
        }
        $this->$name = $value;
    }
}
$vulnerableObj = new VulnerableClass();
try {
    $vulnerableObj->trigger = "exploit";
} catch (Exception $e) {
    echo "Caught exception: " . $e->getMessage();
}
$vulnerableObj->trigger ??= "exploit"; // Use-after-free here
?>

Exploit

A remote attacker can exploit this vulnerability by controlling the memory layout of the script, which can be done by providing specially crafted inputs that manipulate the object layout in memory. In doing so, the attacker can potentially execute arbitrary code on the affected system, leading to a full compromise of the application and its underlying data.

For further details regarding this vulnerability, refer to the findings reported in the PHP Bug Tracker and CVE.

PHP 8.4.5 or later for 8.4.* users

The patch for this vulnerability can also be found in the PHP Git repository. It is advisable to apply this patch if upgrading to a newer version is not immediately feasible.

Moreover, ensure that the application's exception handling mechanisms are robust and can adequately handle unexpected exceptions that may arise during the execution of the script. Finally, always validate and sanitize user inputs to minimize the risk of successful exploitation.

Conclusion

The use-after-free vulnerability (CVE-2024-11235) found in PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5 is a serious security risk. Attackers can take advantage of this vulnerability to execute arbitrary code on the affected system and gain control over the application and its data. Make sure to update PHP to the latest version and follow security best practices to keep your systems safe from potential breaches.

Timeline

Published on: 04/04/2025 18:15:48 UTC
Last modified on: 04/07/2025 14:17:50 UTC