CVE-2014-9912

Name: CVE-2014-9912
Creator: NVD / NIST
Published: 2017-01-04T20:59:00.217+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 4.95%

Last modified Jun 17, 2026

CVE-2014-9912 is a vulnerability of currently unknown severity. The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.. EPSS estimates a 4.95% chance of exploitation in the next 30 days.

Description

The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.

Metrics

EPSS Probability

4.95%

91.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-119

Affected Software

Vendor	Product	Versions	Update
Php	Php	<= 5.3.28	—
Php	Php	5.4.0	—
Php	Php	5.4.1	—
Php	Php	5.4.2	—
Php	Php	5.4.3	—
Php	Php	5.4.4	—
Php	Php	5.4.5	—
Php	Php	5.4.6	—
Php	Php	5.4.7	—
Php	Php	5.4.8	—
Php	Php	5.4.9	—
Php	Php	5.4.10	—
Php	Php	5.4.11	—
Php	Php	5.4.12	—
Php	Php	5.4.13	—
Php	Php	5.4.14	—
Php	Php	5.4.15	—
Php	Php	5.4.16	Rc1
Php	Php	5.4.17	—
Php	Php	5.4.18	—
Php	Php	5.4.19	—
Php	Php	5.4.20	—
Php	Php	5.4.21	—
Php	Php	5.4.22	—
Php	Php	5.4.23	—
Php	Php	5.4.24	—
Php	Php	5.4.25	—
Php	Php	5.4.26	—
Php	Php	5.4.27	—
Php	Php	5.4.28	—
Php	Php	5.4.29	—
Php	Php	5.5.0	—
Php	Php	5.5.1	—
Php	Php	5.5.2	—
Php	Php	5.5.3	—
Php	Php	5.5.4	—
Php	Php	5.5.5	—
Php	Php	5.5.6	—
Php	Php	5.5.7	—
Php	Php	5.5.8	—
Php	Php	5.5.9	—
Php	Php	5.5.10	—
Php	Php	5.5.11	—
Php	Php	5.5.12	—
Php	Php	5.5.13	—

References

http://www.openwall.com/lists/oss-security/2016/11/25/1Third Party Advisory
http://www.php.net/ChangeLog-5.phpRelease Notes, Vendor Advisory
http://www.securityfocus.com/bid/68549
https://bugs.php.net/bug.php?id=67397Patch, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1383569Issue Tracking, Patch, Third Party Advisory, VDB Entry
http://www.openwall.com/lists/oss-security/2016/11/25/1Third Party Advisory
http://www.php.net/ChangeLog-5.phpRelease Notes, Vendor Advisory
http://www.securityfocus.com/bid/68549
https://bugs.php.net/bug.php?id=67397Patch, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1383569Issue Tracking, Patch, Third Party Advisory, VDB Entry

Timeline

Published: Jan 4, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-9912?

How severe is CVE-2014-9912?

Severity scoring for CVE-2014-9912 is pending analysis. The EPSS model estimates a 4.95% probability of exploitation in the next 30 days.

How do I fix CVE-2014-9912?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-9912?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST