{"id":"CVE-2017-8923","details":"The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.","modified":"2026-04-10T04:01:20.797853Z","published":"2017-05-12T20:29:00.500Z","related":["SUSE-SU-2022:0530-1","SUSE-SU-2022:0577-1","SUSE-SU-2022:0679-1","SUSE-SU-2022:0699-1","SUSE-SU-2022:4067-1","SUSE-SU-2022:4068-1","SUSE-SU-2022:4069-1","openSUSE-SU-2022:0699-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/98518"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241227-0007/"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=74577"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"fixed":"7d959d16546198e8012985109e5689abcae18b5f"},{"introduced":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"fixed":"ca647c529295a4fde269e9a4dfa19fc4f245501c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.4.24"},{"introduced":"8.0.0"},{"fixed":"8.0.11"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8923.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}