CVE-2024-9026

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DEBIAN-CVE-2024-9026 DLA-3920-1 DSA-5780-1 MGASA-2024-0328 OPENSUSE-SU-2024:14376-1 RHSA-2024:10949

Modified

Published: 08 Oct 2024, 04:07

Last modified:03 Nov 2025, 22:33

Vulnerability Summary

Overall Risk (default)

low

23/100

CVSS Score

3.3 LOW

v3.1 (cve.org)

EPSS Score

0.67% LOW

1% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

08 Oct 2024, 04:07

Published

Vulnerability first disclosed

03 Nov 2025, 22:33

Last Modified

Vulnerability information updated

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

CVSS Metrics

v3.1•LOW•Score: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.67%• Percentile: 72%

Techniques & Countermeasures

CWE-117•Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
CWE-158•Improper Neutralization of Null Byte or NUL Character
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

Affected Systems

Unknown•PHP
≥ 8.1.*, < 8.1.30 | ≥ 8.2.*, < 8.2.24 | ≥ 8.3.*, < 8.3.12
Unknown•PHP
≥ 8.1.0, < 8.1.30 | ≥ 8.2.0, < 8.2.24 | ≥ 8.3.0, < 8.3.12