CVE-2016-3141

CRITICAL

Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.

Published: Mar 31, 2016 Modified: May 6, 2026

CWE-119

CVSS Metrics

CVSSv3

Attack Vector: NETWORK Attack Complexity: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products (21)

Vendor	Product	Version
apple	mac_os_x	*
php	php	*
php	php	5.6.0
php	php	5.6.1
php	php	5.6.2
php	php	5.6.3
php	php	5.6.4
php	php	5.6.5
php	php	5.6.6
php	php	5.6.7
php	php	5.6.8
php	php	5.6.9
php	php	5.6.10
php	php	5.6.11
php	php	5.6.12
php	php	5.6.13
php	php	5.6.14
php	php	5.6.15
php	php	5.6.16
php	php	5.6.17

…and 1 more

References (30)

Risk Scores

CVSS Score 9.8 / 10

EPSS Score 72.28%

Top 1% most likely to be exploited

Threat Score 70.9 / 100

Data Sources

NVD EPSS