CVE-2015-6834

Publication date 9 September 2015

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	15.04 vivid	Fixed 5.6.4+dfsg-4ubuntu6.3
	14.04 LTS trusty	Fixed 5.5.9+dfsg-1ubuntu4.13
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.20

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=e8429400d40e3c3aa4b22ba701991d698a2f3b2f Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393 Upstream: http://git.php.net/?p=php-src.git;a=commit;h=259057b2a484747a6c73ce54c4fa0f5acbd56179

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-2758-1
PHP vulnerabilities
30 September 2015