CVE-2022-31627 Overview
In PHP versions 8.1.x below 8.1.8, a heap corruption vulnerability exists in fileinfo functions such as finfo_buffer. Due to an incorrect patch applied to the third-party code from libmagic, an incorrect function may be used to free allocated memory, which may lead to heap corruption. This vulnerability represents a serious memory safety issue that could potentially be exploited for remote code execution.
Critical Impact
This heap corruption vulnerability in PHP's fileinfo extension could allow attackers to corrupt heap memory, potentially leading to arbitrary code execution or denial of service on systems processing untrusted file data through finfo_buffer and related functions.
Affected Products
- PHP versions 8.1.x below 8.1.8
- Applications using PHP fileinfo functions (finfo_buffer, finfo_file, etc.)
- Web servers running vulnerable PHP versions with fileinfo extension enabled
Discovery Timeline
- 2022-07-28 - CVE-2022-31627 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-31627
Vulnerability Analysis
This vulnerability (CWE-590: Free of Memory not on the Heap, CWE-787: Out-of-bounds Write) stems from improper memory management within PHP's fileinfo extension. The fileinfo extension relies on libmagic, a third-party library for determining file types based on content. An incorrectly applied patch to the libmagic integration caused a mismatch between memory allocation and deallocation functions.
When PHP's fileinfo functions process data, memory is allocated for internal operations. Due to the flawed patch, a different (incorrect) function is called to free this memory than the one used to allocate it. This mismatch corrupts the heap metadata, leading to heap corruption. An attacker who can influence the data processed by fileinfo functions could potentially exploit this corruption for arbitrary code execution.
Root Cause
The root cause is a patch integration error in PHP's bundled libmagic code. When upstream libmagic patches were applied to PHP, the memory deallocation calls were not properly matched to their corresponding allocation calls. This results in using an incompatible free function (such as calling free() on memory allocated with a different allocator, or vice versa), which violates the memory management contract and corrupts heap structures.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Sending specially crafted file content to a PHP application that uses fileinfo functions
- Triggering the vulnerable code path through finfo_buffer(), finfo_file(), or related functions
- Exploiting the resulting heap corruption to achieve code execution or crash the application
The vulnerability can be triggered when PHP applications analyze file types or MIME types of user-supplied content, a common operation in file upload handlers and content management systems.
Detection Methods for CVE-2022-31627
Indicators of Compromise
- Unexpected PHP process crashes or segmentation faults when processing file uploads
- Anomalous memory patterns or heap corruption errors in PHP error logs
- Increased memory usage or memory allocation failures in PHP-FPM workers
- Core dumps indicating heap corruption in fileinfo-related operations
Detection Strategies
- Monitor PHP error logs for segmentation faults and memory-related errors when fileinfo functions are invoked
- Implement application-level logging around finfo_buffer() and finfo_file() calls to detect anomalous behavior
- Deploy web application firewalls (WAF) to inspect file upload payloads for exploit patterns
- Use memory sanitizers (AddressSanitizer) in development/staging environments to detect heap corruption
Monitoring Recommendations
- Enable comprehensive PHP error logging with stack traces for memory-related errors
- Configure alerting on PHP-FPM worker restarts or crashes
- Monitor for unusual patterns in file upload functionality
- Implement application performance monitoring (APM) to track fileinfo function behavior
How to Mitigate CVE-2022-31627
Immediate Actions Required
- Upgrade PHP to version 8.1.8 or later immediately
- If immediate upgrade is not possible, consider disabling the fileinfo extension temporarily
- Review and restrict file upload functionality until patching is complete
- Implement strict input validation on all file upload endpoints
Patch Information
The vulnerability is fixed in PHP version 8.1.8 and later. Organizations should upgrade to the latest PHP 8.1.x release to ensure all security patches are applied. The official bug report is available at PHP Bug Report #81723.
Additional security advisories have been published by:
Workarounds
- Disable the fileinfo extension in php.ini if not required for application functionality
- Implement a proxy layer that sanitizes or validates file content before passing to PHP
- Restrict file uploads to authenticated users only to reduce attack surface
- Use alternative file type detection methods that do not rely on PHP's fileinfo extension
# Configuration example - Disable fileinfo extension temporarily
# Add to php.ini or create a separate configuration file
# Option 1: Comment out or remove the extension line
# extension=fileinfo
# Option 2: Disable via command line for CLI scripts
php -d "extension=" -r "// your script"
# Verify fileinfo is disabled
php -m | grep -i fileinfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
