CVE-2024-11235 Overview
CVE-2024-11235 is a use-after-free vulnerability in PHP affecting versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5. The flaw resides in a code sequence involving the __set magic method handler or the ??= null coalescing assignment operator combined with exception handling. Attackers who control memory layout through specially crafted script inputs can trigger remote code execution. The vulnerability is classified as [CWE-416] Use After Free and carries a CVSS 4.0 score of 9.2. PHP's widespread deployment across web infrastructure makes this flaw significant for any server running affected versions.
Critical Impact
Successful exploitation allows remote code execution on PHP servers running vulnerable 8.3.x or 8.4.x releases when attackers can influence memory layout via script inputs.
Affected Products
- PHP versions 8.3.0 through 8.3.18
- PHP versions 8.4.0 through 8.4.4
- Web applications and services running affected PHP releases
Discovery Timeline
- 2025-04-04 - CVE-2024-11235 published to NVD
- 2025-04-30 - Last updated in NVD database
Technical Details for CVE-2024-11235
Vulnerability Analysis
The vulnerability is a use-after-free condition triggered by specific PHP language constructs interacting with the engine's exception handling logic. When a script invokes the __set magic handler or uses the ??= null coalescing assignment operator, and an exception is thrown during the operation, the PHP engine fails to correctly manage object references. This leaves a dangling pointer to memory that has been freed but remains accessible to subsequent operations.
An attacker who supplies crafted inputs to a PHP script can manipulate the heap to position controlled data into the freed region. When the engine dereferences the stale pointer, attacker-controlled bytes are interpreted as a valid object, enabling memory corruption that can be escalated to arbitrary code execution within the PHP process.
Root Cause
The root cause is improper reference counting and object lifetime tracking in the PHP Zend engine. Specifically, the __set handler and ??= operator paths do not correctly increment or preserve references when execution is interrupted by an exception. The object is freed prematurely while a reference remains in scope, producing the classic use-after-free pattern described in [CWE-416].
Attack Vector
Exploitation requires the attacker to supply input that reaches a vulnerable PHP code path containing either the __set magic method or the ??= operator alongside exception-throwing logic. The attack vector is network-based but carries high attack complexity, since the attacker must groom the PHP heap to control the freed memory contents. Applications that deserialize user data, evaluate dynamic property assignments, or expose endpoints handling complex object operations are most exposed.
No public proof-of-concept code is currently available. Technical details are described in the PHP GitHub Security Advisory GHSA-rwp7-7vc6-8477.
Detection Methods for CVE-2024-11235
Indicators of Compromise
- Unexpected PHP-FPM or php-cgi process crashes with segmentation faults in web server logs
- Anomalous child process spawning from PHP worker processes such as sh, bash, or python
- Outbound network connections originating from PHP runtime processes to unfamiliar hosts
- Web access logs showing repeated POST requests with malformed serialized payloads targeting endpoints that handle object properties
Detection Strategies
- Inventory PHP installations and flag any host running versions 8.3.0 through 8.3.18 or 8.4.0 through 8.4.4
- Deploy web application firewall rules that inspect request bodies for suspicious patterns interacting with magic methods or null coalescing assignments
- Monitor PHP error logs for repeated fatal errors involving exception handling and object destructors
- Correlate process telemetry to identify PHP workers executing unexpected system binaries
Monitoring Recommendations
- Enable PHP core dump collection in non-production environments to capture exploitation attempts for forensic analysis
- Forward web server, PHP-FPM, and host process events to a centralized logging platform for correlation
- Establish baselines for normal PHP process behavior and alert on deviations such as new child processes or unusual file writes
- Track external scanning activity that probes PHP version banners or known PHP application paths
How to Mitigate CVE-2024-11235
Immediate Actions Required
- Upgrade PHP to version 8.3.19 or later for the 8.3 branch, or 8.4.5 or later for the 8.4 branch
- Audit application code for use of __set handlers and ??= operators in paths reachable by untrusted input
- Restrict network exposure of PHP applications behind a web application firewall while patches are being deployed
- Validate that all PHP-based microservices and container images have been rebuilt against patched runtimes
Patch Information
The PHP project released fixed versions 8.3.19 and 8.4.5 addressing this use-after-free condition. Refer to the PHP GitHub Security Advisory GHSA-rwp7-7vc6-8477 for the upstream patch and full advisory text. Linux distributions ship updated PHP packages through their standard security channels.
Workarounds
- Remove or refactor code paths that combine __set magic methods with exception-throwing logic on untrusted input
- Avoid using ??= against object properties whose assignment can raise exceptions when handling external data
- Apply strict input validation and type enforcement on all data reaching dynamic property assignments
- Run PHP-FPM workers under least-privilege accounts to limit post-exploitation impact
# Verify installed PHP version and upgrade where required
php -v
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade php8.3 php8.4
# RHEL/Alma/Rocky
sudo dnf upgrade php
# Confirm patched version (8.3.19+ or 8.4.5+)
php -r 'echo PHP_VERSION . PHP_EOL;'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
