Login Sign Up

CVE-2020-7065

7.4 HIGH
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in PHP's mb_strtolower() function when using UTF-32LE encoding allows attackers to corrupt memory. This could lead to crashes or potentially remote code execution. Affects PHP applications running vulnerable versions that process untrusted input with this specific encoding.

💻 Affected Systems

Products:
  • PHP
Versions: PHP 7.3.0-7.3.15, PHP 7.4.0-7.4.3
Operating Systems: All operating systems running affected PHP versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when mb_strtolower() is called with UTF-32LE encoding on invalid strings

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Php by Php

View all CVEs affecting Php →

Php by Php

View all CVEs affecting Php →

Tenable.sc by Tenable

View all CVEs affecting Tenable.sc →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Application crashes causing denial of service

🟢

If Mitigated

Limited impact with proper input validation and encoding restrictions

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific conditions but public proof-of-concept exists

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PHP 7.3.16, PHP 7.4.4

Vendor Advisory: https://bugs.php.net/bug.php?id=79371

Restart Required: Yes

Instructions:

1. Update PHP to version 7.3.16 or higher for PHP 7.3.x, or 7.4.4 or higher for PHP 7.4.x. 2. Restart web server and PHP-FPM services. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable UTF-32LE encoding

all

Remove or disable UTF-32LE encoding support in mbstring configuration

Edit php.ini and set: mbstring.encoding_translation = Off
Or remove UTF-32LE from mbstring.internal_encoding

Input validation

all

Validate and sanitize all input before passing to mb_strtolower()

🧯 If You Can't Patch

  • Implement strict input validation for all data passed to mb_strtolower()
  • Use Web Application Firewall (WAF) rules to block suspicious encoding patterns

🔍 How to Verify

Check if Vulnerable:

Check PHP version and test with vulnerable code pattern using UTF-32LE encoding

Check Version:

php -v

Verify Fix Applied:

Verify PHP version is 7.3.16+ or 7.4.4+ and test with previously vulnerable inputs

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in PHP/webserver logs
  • Unexpected process crashes

Network Indicators:

  • HTTP requests with unusual encoding parameters
  • Requests containing UTF-32LE encoded data

SIEM Query:

source="php_error.log" AND ("segmentation fault" OR "buffer overflow" OR "mb_strtolower")

📊 Metadata

CVE ID: CVE-2020-7065
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-121
Published: April 1, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7065, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)