{"id":"CVE-2016-7134","details":"ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overflow) or possibly have unspecified other impact via a long string that is mishandled in a curl_escape call.","modified":"2026-07-08T10:53:37.283360Z","published":"2016-09-12T01:59:12.803Z","related":["SUSE-SU-2016:2408-1","SUSE-SU-2016:2460-1","SUSE-SU-2016:2460-2"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/92766"},{"type":"WEB","url":"http://www.securitytracker.com/id/1036680"},{"type":"ADVISORY","url":"http://www.php.net/ChangeLog-7.php"},{"type":"ADVISORY","url":"https://bugs.php.net/bug.php?id=72674"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201611-22"},{"type":"FIX","url":"https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7?w=1"},{"type":"ARTICLE","url":"http://openwall.com/lists/oss-security/2016/09/02/9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"last_affected":"9d582eba7448f1495fae62b13d95d2844ce6b28a"},{"fixed":"72dbb7f416160f490c4e9987040989a10ad431c7"}],"database_specific":{"cpe":["cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*","cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"7.0.0"},{"last_affected":"7.0.0"},{"introduced":"7.0.1"},{"last_affected":"7.0.1"},{"introduced":"7.0.2"},{"last_affected":"7.0.2"},{"introduced":"7.0.3"},{"last_affected":"7.0.3"},{"introduced":"7.0.4"},{"last_affected":"7.0.4"},{"introduced":"7.0.5"},{"last_affected":"7.0.5"},{"introduced":"7.0.6"},{"last_affected":"7.0.6"},{"introduced":"7.0.7"},{"last_affected":"7.0.7"},{"introduced":"7.0.8"},{"last_affected":"7.0.8"},{"introduced":"7.0.9"},{"last_affected":"7.0.9"}],"source":["CPE_STRING","REFERENCES"]}}],"versions":["7.0.0","7.0.1","7.0.2","7.0.3","7.0.4","7.0.5","7.0.6","7.0.7","7.0.8","7.0.9"],"database_specific":{"vanir_signatures_modified":"2026-07-08T10:53:37Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7134.json","vanir_signatures":[{"id":"CVE-2016-7134-963245d6","digest":{"length":485,"function_hash":"227528518145986743866062786954349080389"},"deprecated":false,"target":{"function":"PHP_FUNCTION","file":"ext/curl/interface.c"},"signature_type":"Function","source":"https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7","signature_version":"v1"},{"id":"CVE-2016-7134-b420cec9","digest":{"length":419,"function_hash":"184380690513653864814768737943733668699"},"deprecated":false,"target":{"function":"PHP_FUNCTION","file":"ext/curl/interface.c"},"signature_type":"Function","source":"https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7","signature_version":"v1"},{"id":"CVE-2016-7134-b78da87e","digest":{"threshold":0.9,"line_hashes":["335787309558971530386158521091974235944","59168245641041532536797173049677161686","170355232463213619986421451949240296569","323272686444899214637338609833576987879","230973073276262990912696048641882976157","298474625450453199991691042508450365921","46581261744944443022068226888566926896","182149807505015830507255396834038439832","187567355692959817030279297524340235862","329201391369088865734968587245595121480","215314933792689006791172564644187737241"]},"deprecated":false,"target":{"file":"ext/curl/interface.c"},"signature_type":"Line","source":"https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}