UAF in PHP 8.3/8.4 via __set / ??= Operator
CVE-2024-11235 Published on April 4, 2025
Reference counting in php_request_shutdown causes Use-After-Free
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
Weakness Type
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2024-11235 has been classified to as a Dangling pointer vulnerability or weakness.
Products Associated with CVE-2024-11235
stack.watch emails you whenever new vulnerabilities are published in PHP or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
PHP Group PHP:- Version 8.4.* and below 8.4.5 is affected.
- Version 8.3.* and below 8.3.19 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.