Hi, Thank you for bringing this in here, Alan!
On Sat, Apr 12, 2025 at 08:58:59AM -0700, Alan Coopersmith wrote: > https://blog.quarkslab.com/security-audit-of-php-src.html announces the > completion of a security audit of PHP by Quarkslab, thanks to funding > provided by Sovereign Tech Fund to The Open Source Technology Improvement > Fund. > > The blog provides details and a link to the audit report for more. > The summary it provides of the findings is: > > > 2 security issues considered as high severity; > > 6 security issues considered as medium severity; > > 9 security issues considered as low severity; > > 10 issues considered informative. The PHP Foundation's blog post gives slightly different breakdown by severity, with "3 High-severity" and "5 Medium-severity". > CVE-2024-8928 is still marked reserved & not yet published, the report > lists it as "Details to be shared after fixes are applied". > > The Quarkslab blog also points to corresponding blogs from the PHP > Foundation > and the Open Source Technology Improvement Fund at: > https://thephp.foundation/blog/2025/04/10/php-core-security-audit-results/ > https://ostif.org/php-audit-complete/ This mystery CVE is listed with a brief description in the PHP Foundation's blog post above: CVE-2024-8928: Memory-related vulnerability in PHP's filter handling, leading to segmentation faults. Alexander
