What is CVE-2022-31626?

CVE-2022-31626 is a high-severity vulnerability in Php Group, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 7.5/10. Published 2022-06-16.

How severe is CVE-2022-31626?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-31626 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Php Group

CVE-2022-31626

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excess…

Vulnerability class: Buffer Overflow

EPSS: 0.584 (99.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Php Group — versions 7.4.X, 8.0.X, 8.1.X

Weakness classification (CWE)

CWE-120 — Buffer Copy without Checking Size of Input (Classic Buffer Overflow)

Public proof-of-concept exploits

References

bugs.php.net/bug.php
FEDORA-2022-0a96e5b9b1 (vendor-advisory)
FEDORA-2022-f3fc52428e (vendor-advisory)
DSA-5179 (vendor-advisory)
security.netapp.com/advisory/ntap-20220722-0005/
GLSA-202209-20 (vendor-advisory)
[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update (mailing-list)

Frequently asked questions

What is CVE-2022-31626?: CVE-2022-31626 is a high-severity vulnerability in Php Group, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 7.5/10. Published 2022-06-16.
How severe is CVE-2022-31626?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-31626 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.