Cyber Resilience

CVE-2019-11043

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 28 October 2019

Published
28 October 2019
Modified
03 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.9405 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-11043 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a buffer overflow condition, tracked as CWE-120 and CWE-787, that affects the PHP FastCGI Process Manager (FPM) component in versions 7.1.x prior to 7.1.33, 7.2.x prior to 7.2.24, and 7.3.x prior to 7.3.11. In specific FPM configurations, the module can write beyond allocated buffers into memory reserved for FCGI protocol data, creating conditions that enable remote code execution. The issue received a CVSS 3.1 base score of 8.7.

Remote attackers without authentication can trigger the flaw over the network when the vulnerable FPM setup is reachable, achieving code execution that impacts confidentiality and integrity with a scope change, although successful exploitation requires high attack complexity.

Vendor advisories and errata from Red Hat, openSUSE, and other distributions address the issue through updated PHP packages that correct the buffer handling in FPM; organizations are advised to apply the corresponding fixes for the affected versions. Public exploit code demonstrating the remote code execution path has been published.

EU & UK References

Vulnerability details

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus…

more

opening the possibility of remote code execution.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

php
php
7.1.0 — 7.1.33 · 7.2.0 — 7.2.24 · 7.3.0 — 7.3.11
canonical
ubuntu linux
12.04, 14.04, 16.04, 18.04, 19.04
debian
debian linux
10.0, 9.0
fedoraproject
fedora
29, 30, 31
tenable
tenable.sc
≤ 5.19.0
redhat
software collections
1.0
redhat
enterprise linux
8.0
redhat
enterprise linux desktop
6.0, 7.0
redhat
enterprise linux eus
7.7, 8.1, 8.2, 8.4, 8.6
redhat
enterprise linux eus compute node
7.7
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the buffer overflow in PHP FPM.

prevent

Implements memory protections that block unauthorized code execution resulting from the out-of-bounds write.

prevent

Enforces least functionality by disabling or restricting FPM configurations that expose the vulnerable code path.

References