CVE-2019-11049

Name: CVE-2019-11049
Creator: NVD / NIST
Published: 2019-12-23T03:15:11.897+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 4.11%

Last modified Jun 17, 2026

CVE-2019-11049 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.. EPSS estimates a 4.11% chance of exploitation in the next 30 days.

Description

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

4.11%

89.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Php	Php	>= 7.3.0, <= 7.3.13
Php	Php	7.4.0
Fedoraproject	Fedora	30
Fedoraproject	Fedora	31
Debian	Debian Linux	10.0
Tenable	Securitycenter	< 5.19.0

References

https://bugs.php.net/bug.php?id=78943Mailing List, Patch, Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
https://seclists.org/bugtraq/2020/Feb/27Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/Third Party Advisory
https://www.debian.org/security/2020/dsa-4626Third Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory
https://bugs.php.net/bug.php?id=78943Mailing List, Patch, Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
https://seclists.org/bugtraq/2020/Feb/27Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/Third Party Advisory
https://www.debian.org/security/2020/dsa-4626Third Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory

Timeline

Published: Dec 23, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-11049?

How severe is CVE-2019-11049?

CVE-2019-11049 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 4.11% probability of exploitation in the next 30 days.

How do I fix CVE-2019-11049?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-11049?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST