{"id":"CVE-2016-3078","details":"Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.","modified":"2026-05-08T13:53:35.475748Z","published":"2016-08-07T10:59:02.757Z","references":[{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1035701"},{"type":"ADVISORY","url":"https://php.net/ChangeLog-7.php"},{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2016-3078"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=71923"},{"type":"FIX","url":"https://github.com/php/php-src/commit/3b8d4de300854b3517c7acb239b84f7726c1353c?w=1"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2016/04/28/1"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/39742/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"fixed":"734a5fca2c4731e34eca551f28be9a10ffc3f3c9"},{"fixed":"3b8d4de300854b3517c7acb239b84f7726c1353c"}],"database_specific":{"cpe":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.6"}]}}],"database_specific":{"vanir_signatures_modified":"2026-05-08T13:53:35Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3078.json","vanir_signatures":[{"target":{"file":"ext/zip/php_zip.c"},"digest":{"threshold":0.9,"line_hashes":["193834782511832635126460315008502649908","122701032404794599140100292209662573895","305997671698898631509667006704042414636","199880202858721550022649770427341030569","138951393611278878555268921097277489425","136890833185091162244737598814651851569","30058069426566830036519766740381670483","240539720814655648509524591137719963333"]},"source":"https://github.com/php/php-src/commit/3b8d4de300854b3517c7acb239b84f7726c1353c","signature_type":"Line","deprecated":false,"id":"CVE-2016-3078-4b3a61bd","signature_version":"v1"},{"target":{"file":"ext/zip/php_zip.c","function":"PHP_NAMED_FUNCTION"},"digest":{"function_hash":"236365680313424228371521953091843272237","length":623},"source":"https://github.com/php/php-src/commit/3b8d4de300854b3517c7acb239b84f7726c1353c","signature_type":"Function","deprecated":false,"id":"CVE-2016-3078-d5cc51d3","signature_version":"v1"},{"target":{"file":"ext/zip/php_zip.c","function":"php_zip_get_from"},"digest":{"function_hash":"62722076856804002345561822430900202743","length":1059},"source":"https://github.com/php/php-src/commit/3b8d4de300854b3517c7acb239b84f7726c1353c","signature_type":"Function","deprecated":false,"id":"CVE-2016-3078-e389ffa9","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}