The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via crafted serialized data.
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via crafted serialized data.
https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17 https://bugs.php.net/bug.php?id=72978 http://www.openwall.com/lists/oss-security/2016/12/12/2