CVE-2020-7064: 
PHP vulnerability analysis and mitigation

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, a vulnerability was discovered in the exif_read_data() function that could allow malicious data to cause PHP to read one byte of uninitialized memory. This vulnerability, identified as CVE-2020-7064, was disclosed in April 2020 (CVE-MITRE, NVD).

The vulnerability exists in the EXIF data parsing functionality of PHP when using the exif_read_data() function. When processing maliciously crafted EXIF data, the function could read one byte of uninitialized memory. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L (NETAPP-ADVISORY).

The successful exploitation of this vulnerability could potentially lead to information disclosure or cause the application to crash. The unauthorized access to uninitialized memory could expose sensitive information from the system's memory (UBUNTU-SECURITY).

The vulnerability has been fixed in PHP versions 7.2.29, 7.3.16, and 7.4.4. Users are advised to upgrade to these or later versions. Multiple Linux distributions have also released security updates to address this vulnerability, including Ubuntu, Debian, and OpenSUSE (DEBIAN-SECURITY, UBUNTU-SECURITY).