CVE-2020-7065: 
PHP vulnerability analysis and mitigation

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This vulnerability was discovered and disclosed in March 2020, affecting PHP installations using the mb_strtolower() function (PHP Changelog, NVD).

The vulnerability occurs when using the mb_strtolower() function specifically with UTF-32LE encoding. When processing certain invalid strings, the function could cause PHP to overwrite a stack-allocated buffer in the convert_case_filter function. The issue stems from improper validation of input strings, where negative values less than 0xffffff could bypass the size checks. This could lead to buffer overflow conditions with sizes ranging from 512-1020 bytes (PHP Bug Report).

The successful exploitation of this vulnerability could lead to memory corruption, application crashes, and potentially arbitrary code execution. The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

The vulnerability has been fixed in PHP versions 7.3.16 and 7.4.4. Users are strongly recommended to upgrade to these or later versions. Multiple Linux distributions have also released security updates to address this vulnerability, including Ubuntu in USN-4330-1 and USN-4330-2, and Debian in DSA-4719 (Ubuntu Security Notice, Debian Security Advisory).