{"id":"CVE-2017-5340","details":"Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.","modified":"2026-04-11T18:29:56.794115Z","published":"2017-01-11T06:59:00.160Z","related":["SUSE-SU-2017:0534-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95371"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037659"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1296"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180112-0001/"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=73832"},{"type":"FIX","url":"https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"fixed":"cc766d7730bdec064e32f8009154fa672b34ef9b"},{"introduced":"0221e9f827632942225586687a33cfd554860d5e"},{"fixed":"9abbc3cc6d0f448435ca38bef694f671bf7303d8"},{"fixed":"4cc0286f2f3780abc6084bcdae5dce595daa3c12"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.15"},{"introduced":"7.1.0"},{"fixed":"7.1.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-5340.json","vanir_signatures":[{"deprecated":false,"source":"https://github.com/php/php-src/commit/9abbc3cc6d0f448435ca38bef694f671bf7303d8","signature_type":"Function","id":"CVE-2017-5340-12d1fca6","signature_version":"v1","digest":{"length":2665,"function_hash":"291942526429879441159894536430346133521"},"target":{"file":"ext/gd/libgd/gd_gd2.c","function":"_gd2GetHeader"}},{"deprecated":false,"source":"https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12","signature_type":"Line","id":"CVE-2017-5340-7501d6a6","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["302809697189148475297750884608790259821","25269136893474997921766866731112141155","176995661728580401951558063694425109185","282407999817348256037465684465485374719","27203332826222208118957196914128024108","327578526711602898995701292075519451415","101648155586618325587449013706940504782","84422741966942976358390282422869288177"]},"target":{"file":"Zend/zend_hash.c"}},{"deprecated":false,"source":"https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12","signature_type":"Function","id":"CVE-2017-5340-7570f682","signature_version":"v1","digest":{"length":534,"function_hash":"108479502598115741326499771321871644248"},"target":{"file":"Zend/zend_hash.c","function":"_zend_hash_init"}},{"deprecated":false,"source":"https://github.com/php/php-src/commit/9abbc3cc6d0f448435ca38bef694f671bf7303d8","signature_type":"Line","id":"CVE-2017-5340-a887e78f","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["268808390959611610380382661363715926383","332457077737297600470842301867489262455","183820387990733455444215637150999073887","296117839669516092864788658433251533836"]},"target":{"file":"ext/gd/libgd/gd_gd2.c"}}],"vanir_signatures_modified":"2026-04-11T18:29:56Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}