Launchpad CVE tracker

CVE 2024-3096

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Related bugs and status

CVE-2024-3096 (Candidate) is related to these bugs:

Bug #2057576: php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status

		In	Importance	Status
2057576	php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status	php7.4 (Ubuntu)	Undecided	Invalid
2057576	php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status	php8.1 (Ubuntu)	Undecided	Invalid
2057576	php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status	php8.2 (Ubuntu)	Undecided	Invalid
2057576	php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status	php8.1 (Ubuntu Jammy)	Undecided	Fix Released
2057576	php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status	php8.2 (Ubuntu Mantic)	Undecided	Fix Committed
2057576	php-fpm sometimes SIGSEGVs (signal 11) when running fpm_get_status	php7.4 (Ubuntu Focal)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://github.com/php...

Launchpad.net

CVE 2024-3096

Related bugs and status

Related bugs

References