{"id":"CVE-2016-10160","details":"Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.","modified":"2026-05-18T13:46:28.864492Z","published":"2017-01-24T21:59:00.227Z","related":["SUSE-SU-2017:0534-1","SUSE-SU-2017:0556-1","SUSE-SU-2017:0568-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"8.0"}],"vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"http://php.net/ChangeLog-5.php"},{"type":"ADVISORY","url":"http://php.net/ChangeLog-7.php"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3783"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95783"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037659"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1296"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201702-29"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180112-0001/"},{"type":"ADVISORY","url":"https://www.tenable.com/security/tns-2017-04"},{"type":"FIX","url":"https://bugs.php.net/bug.php?id=73768"},{"type":"FIX","url":"https://github.com/php/php-src/commit/b28b8b2fee6dfa6fcd13305c581bb835689ac3be"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"fc1df8e7a6886e29a6ed5bef3f674ac61164e847"},{"fixed":"195427c55481d9913ac9dd3fbcedf2f7c637e6de"},{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"fixed":"cc766d7730bdec064e32f8009154fa672b34ef9b"},{"introduced":"0221e9f827632942225586687a33cfd554860d5e"},{"fixed":"9abbc3cc6d0f448435ca38bef694f671bf7303d8"},{"fixed":"b28b8b2fee6dfa6fcd13305c581bb835689ac3be"}],"database_specific":{"extracted_events":[{"introduced":"5.6.0"},{"fixed":"5.6.30"},{"introduced":"7.0.0"},{"fixed":"7.0.15"},{"introduced":"7.1.0"},{"fixed":"7.1.1"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"}}],"database_specific":{"vanir_signatures_modified":"2026-05-18T13:46:28Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10160.json","vanir_signatures":[{"digest":{"length":2665,"function_hash":"291942526429879441159894536430346133521"},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"file":"ext/gd/libgd/gd_gd2.c","function":"_gd2GetHeader"},"source":"https://github.com/php/php-src/commit/9abbc3cc6d0f448435ca38bef694f671bf7303d8","id":"CVE-2016-10160-12d1fca6"},{"digest":{"line_hashes":["261047710016479752139056947476062666898","288684070520142348767897615574607424242","112445893259989087932568962075639758748","60755477067856805034010718087238629256","249922762173586031901652948315750808437","38755955305146916992902222194245576125","250980629975730852784574285116812435575","336350558396583384843201543601166535943"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"ext/phar/phar.c"},"source":"https://github.com/php/php-src/commit/b28b8b2fee6dfa6fcd13305c581bb835689ac3be","id":"CVE-2016-10160-8d672808"},{"digest":{"line_hashes":["268808390959611610380382661363715926383","332457077737297600470842301867489262455","183820387990733455444215637150999073887","296117839669516092864788658433251533836"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"ext/gd/libgd/gd_gd2.c"},"source":"https://github.com/php/php-src/commit/9abbc3cc6d0f448435ca38bef694f671bf7303d8","id":"CVE-2016-10160-a887e78f"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}