PHP EXIF exif_process_IFD_in_MAKERNOTE maker_note->offset Mishandling Arbitrary Code Execution Vulnerability

A vulnerability in the EXIF component of PHP could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is in the exif_process_IFD_in_MAKERNOTE method in the ext/exif/exif.c source code file of the affected software, and is due to an uninitialized read memory operation error by the affected software when handling the maker_note->offset relationship to the value_len variable. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the targeted system completely.

The PHP Project has confirmed the vulnerability and released software updates.

Security Impact Rating: Critical

CVE: CVE-2019-9638

Source:: offset Mishandling Arbitrary Code Execution Vulnerability” >Cisco Multivendor Vulnerability Alerts