Description
The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.
Remediation
References
Related Vulnerabilities
WordPress Plugin Bulk change of posts terms and post types Cross-Site Scripting (1.0)
Envoy Proxy Always-Incorrect Control Flow Implementation Vulnerability (CVE-2022-21655)
Jboss EAP Deserialization of Untrusted Data Vulnerability (CVE-2016-4978)
phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9848)
Ruby on Rails Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-5419)