Search for vulnerabilities
Vulnerability details: VCID-dzks-xxg9-aaaf
Vulnerability ID VCID-dzks-xxg9-aaaf
Aliases CVE-2016-9137
Summary Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-416 Use After Free
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9137.html
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9137.json
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00641 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.00942 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.01772 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.01772 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.01772 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.01772 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02128 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
epss 0.02821 https://api.first.org/data/v1/epss?cve=CVE-2016-9137
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1391000
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137
cvssv2 5.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2016-9137
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2016-9137
generic_textual Medium https://ubuntu.com/security/notices/USN-3196-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3211-1
generic_textual Low http://www.openwall.com/lists/oss-security/2016/10/18/1
generic_textual Low http://www.php.net/ChangeLog-5.php
Reference id Reference type URL
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9137.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9137.json
https://api.first.org/data/v1/epss?cve=CVE-2016-9137
https://bugs.php.net/bug.php?id=73147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://ubuntu.com/security/notices/USN-3196-1
https://ubuntu.com/security/notices/USN-3211-1
https://www.tenable.com/security/tns-2016-19
http://www.debian.org/security/2016/dsa-3698
http://www.openwall.com/lists/oss-security/2016/10/18/1
http://www.openwall.com/lists/oss-security/2016/11/01/2
http://www.php.net/ChangeLog-5.php
http://www.php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/93577
1391000 https://bugzilla.redhat.com/show_bug.cgi?id=1391000
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.11:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:*
CVE-2016-9137 https://nvd.nist.gov/vuln/detail/CVE-2016-9137
USN-3196-1 https://usn.ubuntu.com/3196-1/
USN-3211-1 https://usn.ubuntu.com/3211-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9137.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2016-9137
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-9137
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.68173
EPSS Score 0.00641
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.