Cyber Resilience

CVE-2022-31626

HighPublic PoC

Published: 16 June 2022

Published
16 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1024 93.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31626 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Php Php. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-31626 is a buffer overflow vulnerability in PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7 that occurs in the pdo_mysql extension when paired with the mysqlnd driver. An excessively long password supplied during connection setup can overflow an internal buffer and lead to remote code execution.

An attacker who is permitted to control both the target host and the connection password can trigger the flaw over the network. With low privileges and no user interaction required, successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the affected PHP process.

Advisories from Debian, Fedora, and Gentoo, along with the upstream PHP bug report, direct users to upgrade to the patched releases 7.4.30, 8.0.20, or 8.1.7 and to avoid allowing untrusted parties to supply connection credentials.

The EPSS score rose from a low baseline to a peak of 0.2116, indicating that exploitation interest increased after disclosure and that the issue merits renewed attention.

EU & UK References

Vulnerability details

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive…

more

length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

php
php
7.4.0 — 7.4.30 · 8.0.0 — 8.0.20 · 8.1.0 — 8.1.7
debian
debian linux
10.0, 11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References