{"id":"CVE-2019-11048","details":"In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.","modified":"2026-05-08T14:29:03.425721Z","published":"2020-05-20T08:15:10.110Z","related":["ALSA-2020:3662","SUSE-SU-2020:1545-1","SUSE-SU-2020:1546-1","SUSE-SU-2020:1661-1","SUSE-SU-2020:1661-2","SUSE-SU-2020:1714-1","SUSE-SU-2022:4067-1","openSUSE-SU-2020:0847-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/"},{"type":"WEB","url":"https://usn.ubuntu.com/4375-1/"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"WEB","url":"https://www.tenable.com/security/tns-2021-14"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200528-0006/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4717"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4719"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=78875"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=78876"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"8148cbb78841c8ec0759c0836e7f35dec799d300"},{"fixed":"e4c4be1afd50dec81030e5cd45e3c1543874a4f9"},{"introduced":"52ace952a1b65ca80fc2617f11c2fa6dd03f51bd"},{"fixed":"8fd927768991df88df0c338b2b7c29e490392430"},{"introduced":"3c7824e16ec4c3cee417262445d2c2b66531c10f"},{"fixed":"fd6c4b18446b94cc181c7788d80855b0401c8dc5"}],"database_specific":{"extracted_events":[{"introduced":"7.2.0"},{"fixed":"7.2.31"},{"introduced":"7.3.0"},{"fixed":"7.3.18"},{"introduced":"7.4.0"},{"fixed":"7.4.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"}}],"database_specific":{"vanir_signatures_modified":"2026-05-08T14:29:03Z","vanir_signatures":[{"target":{"function":"multipart_buffer_read","file":"main/rfc1867.c"},"signature_version":"v1","source":"https://github.com/php/php-src/commit/8fd927768991df88df0c338b2b7c29e490392430","signature_type":"Function","digest":{"length":862,"function_hash":"294637458357854801409029798125434152936"},"id":"CVE-2019-11048-55e9bd1d","deprecated":false},{"target":{"file":"main/rfc1867.c"},"signature_version":"v1","source":"https://github.com/php/php-src/commit/8fd927768991df88df0c338b2b7c29e490392430","signature_type":"Line","digest":{"line_hashes":["253257859480214849959773643489473477233","31733587473799607699027823608429735009","169626389177106271231720876253282377065","256413839389473811903607085520816458597","97598258453149182081381089912350725988","8783911717863870543997202160991571667","94007411478891976480741041793373838426","143325836009250089552012032551504092770","337041986351830358432077217682394123636","168073609255776740712035636058924037258","174557387779045191300778686331721652862","52588729065715192252871476212591501597"],"threshold":0.9},"id":"CVE-2019-11048-61ac34db","deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11048.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}