CVE-2024-11235 CRITICAL

CVE-2024-11235: Reference counting in php_request_shutdown causes Use-After-Free

Vendor Php Group
Product PHP
Weakness CWE-416
Published April 4, 2025
Last update February 26, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber

What the vulnerability does

01Description

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Key dates

02Disclosure timeline

April 4, 2025 CVE published
February 26, 2026 Record updated