CVE-2017-11144 — Vulnetix

CVE-2017-11144 PUBLISHED

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.

EPSS 40.70% · 97.4th percentile

Risk Scores

EPSS Score

40.70%

97.4th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	php7.0	0, 7.0.1-5, 7.0.1-6
Ubuntu:14.04:LTS	php5	0, 5.5.3+dfsg-1ubuntu2, 5.5.3+dfsg-1ubuntu3

Exploit Intelligence

PHP OpenSSL zif_openssl_seal() heap overflow (wild memcpy) (hackerone)
PHP OpenSSL zif_openssl_seal() heap overflow (wild memcpy) (hackerone)
PHP OpenSSL zif_openssl_seal() heap overflow (wild memcpy) (hackerone)

Timeline

CVE Published
Oct 14, 2019 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Dec 17, 2024 EPSS Score
Mar 17, 2025 EPSS Score
Mar 30, 2025 EPSS Score
May 1, 2025 EPSS Score
May 4, 2025 EPSS Score
Jun 4, 2025 EPSS Score
Jun 21, 2025 EPSS Score
Jul 4, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2017-11144 third-party-advisory
http://openwall.com/lists/oss-security/2017/07/10/6 third-party-advisory
http://php.net/ChangeLog-5.php third-party-advisory
http://php.net/ChangeLog-7.php third-party-advisory
https://ubuntu.com/security/notices/USN-3382-1 vendor-advisory
https://ubuntu.com/security/notices/USN-3382-2 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2017-11144 third-party-advisory

Open in Interactive Console →