{"id":"BIT-libphp-2022-31626","summary":"mysqlnd/pdo password buffer overflow","details":"In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.","aliases":["BIT-php-2022-31626","BIT-php-min-2022-31626","CVE-2022-31626"],"modified":"2025-08-11T14:44:48.178775Z","published":"2025-08-11T13:53:36.527Z","database_specific":{"severity":"High","cpes":["cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://bugs.php.net/bug.php?id=81719"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31626"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202209-20"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20220722-0005/"},{"type":"WEB","url":"https://www.debian.org/security/2022/dsa-5179"}],"affected":[{"package":{"name":"libphp","ecosystem":"Bitnami","purl":"pkg:bitnami/libphp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"7.4.0"},{"fixed":"7.4.30"},{"introduced":"8.0.0"},{"fixed":"8.0.20"},{"introduced":"8.1.0"},{"fixed":"8.1.7"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/libphp/BIT-libphp-2022-31626.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}