CVE-2016-7478

Name: CVE-2016-7478
Creator: NVD / NIST
Published: 2017-01-11T06:59:00.13+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 42.40%

Last modified Jun 17, 2026

CVE-2016-7478 is a vulnerability of currently unknown severity. Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.. EPSS estimates a 42.40% chance of exploitation in the next 30 days.

Description

Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.

Metrics

EPSS Probability

42.40%

98.5th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions	Update
Php	Php	5.0.0	—
Php	Php	5.0.1	—
Php	Php	5.0.2	—
Php	Php	5.0.3	—
Php	Php	5.0.4	—
Php	Php	5.0.5	—
Php	Php	5.1.0	—
Php	Php	5.1.1	—
Php	Php	5.1.2	—
Php	Php	5.1.3	—
Php	Php	5.1.4	—
Php	Php	5.1.5	—
Php	Php	5.1.6	—
Php	Php	5.2.0	—
Php	Php	5.2.1	—
Php	Php	5.2.2	—
Php	Php	5.2.3	—
Php	Php	5.2.4	—
Php	Php	5.2.5	—
Php	Php	5.2.6	—
Php	Php	5.2.7	—
Php	Php	5.2.8	—
Php	Php	5.2.9	—
Php	Php	5.2.10	—
Php	Php	5.2.11	—
Php	Php	5.2.12	—
Php	Php	5.2.13	—
Php	Php	5.2.14	—
Php	Php	5.2.15	—
Php	Php	5.2.16	—
Php	Php	5.2.17	—
Php	Php	5.3.0	—
Php	Php	5.3.1	—
Php	Php	5.3.2	—
Php	Php	5.3.3	—
Php	Php	5.3.4	—
Php	Php	5.3.5	—
Php	Php	5.3.6	—
Php	Php	5.3.7	—
Php	Php	5.3.8	—
Php	Php	5.3.9	—
Php	Php	5.3.10	—
Php	Php	5.3.11	—
Php	Php	5.3.12	—
Php	Php	5.3.13	—
Php	Php	5.3.14	—
Php	Php	5.3.15	—
Php	Php	5.3.16	—
Php	Php	5.3.17	—
Php	Php	5.3.18	—

Showing 50 of 170 affected configurations. See NVD for the full list.

References

http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7Third Party Advisory, VDB Entry
http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdfThird Party Advisory
http://www.securityfocus.com/bid/95150
https://bugs.php.net/bug.php?id=73093Exploit, Vendor Advisory
https://security.netapp.com/advisory/ntap-20180112-0001/
https://www.youtube.com/watch?v=LDcaPstAuPkPress/Media Coverage
http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7Third Party Advisory, VDB Entry
http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdfThird Party Advisory
http://www.securityfocus.com/bid/95150
https://bugs.php.net/bug.php?id=73093Exploit, Vendor Advisory
https://security.netapp.com/advisory/ntap-20180112-0001/
https://www.youtube.com/watch?v=LDcaPstAuPkPress/Media Coverage

Timeline

Published: Jan 11, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-7478?

How severe is CVE-2016-7478?

Severity scoring for CVE-2016-7478 is pending analysis. The EPSS model estimates a 42.40% probability of exploitation in the next 30 days.

How do I fix CVE-2016-7478?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-7478?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST