A newly disclosed flaw in PHP versions 5.x, 7.x, and 8.x could allow attackers to take full control of your server
System administrators managing PHP-based environments are urged to patch immediately. A critical vulnerability in PHP’s extract() function has been discovered that enables heap memory corruption — specifically a double-free in PHP 5.x and use-after-free (UAF) in versions 7.x and 8.x. These issues can ultimately be exploited for remote code execution (RCE).
The vulnerability has been reported by independent security researcher LCFR, in collaboration with SSD Secure Disclosure. The PHP core team has since acknowledged the flaw and issued a GitHub security advisory:
🔗 GHSA-4pwq-3fv3-gm94
🔍 Technical Overview
The vulnerability arises when extract() is used with the EXTR_REFS flag, which imports variables as references. When a destructible object is assigned to a variable in this way, its __destruct() method may unset the variable while the internal zval_ptr_dtor() function is still executing, causing PHP to free the same memory multiple times.
class Exploit {
public function __destruct() {
unset($GLOBALS['target']);
}
}
$data = ['target' => new Exploit()];
extract($data, EXTR_REFS); // Trigger vulnerabilityThis results in:
- PHP 5.x → Double-free
- PHP 7.x / 8.x → Use-after-free (UAF)
Both scenarios can allow attackers to manipulate the heap and achieve arbitrary memory reads/writes, potentially hijacking internal function handlers and executing native code.
🔥 Impact
Attackers exploiting this flaw can:
- Corrupt PHP’s internal memory structures
- Bypass restrictions such as
disable_functions - Restore execution of disabled functions like
system()orexec() - Ultimately gain remote code execution (RCE)
🛡️ Recommendations for System Administrators
✅ Update PHP Immediately
Apply the latest security patches from the official PHP repository.
🧪 Audit Codebases for Risky Use of extract()
Focus on instances where it’s used with untrusted input ($_POST, $_REQUEST, etc.).
🚫 Avoid using extract() with user input
Even with EXTR_PREFIX_ALL, it’s safer to assign variables explicitly.
🔐 Harden PHP Environments
Use appropriate isolation techniques (e.g., containerization), limit permissions, and restrict open_basedir, disable_functions, and expose_php.
🧰 Monitor for Suspicious Behavior
Log segmentation faults, unexpected restarts, and other anomalies that might signal heap corruption or exploit attempts.
📦 Isolate Legacy Applications
If you still run PHP 5.x (which is unsupported), isolate it using Docker or chroot, and begin planning a migration strategy.
⚠️ Why This Matters
The extract() function has long been considered dangerous, especially in contexts involving user input. This vulnerability reaffirms that legacy PHP functions, if misused or unpatched, can present modern threats even in the latest environments.
As a sysadmin, your role is critical in safeguarding production environments. Applying updates and enforcing secure development practices are key steps in defending against zero-day threats like this.
🔗 More information:
📣 Patch now. Audit fast. Don’t let your server become the next attack vector.
Sources: OpenSecurity.
