CVE-2020-7065: 
PHP vulnerability analysis and mitigation

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mbstrtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This vulnerability was discovered and disclosed in March 2020, affecting PHP installations using the mbstrtolower() function (PHP Changelog, NVD).

The vulnerability occurs when using the mbstrtolower() function specifically with UTF-32LE encoding. When processing certain invalid strings, the function could cause PHP to overwrite a stack-allocated buffer in the convertcase_filter function. The issue stems from improper validation of input strings, where negative values less than 0xffffff could bypass the size checks. This could lead to buffer overflow conditions with sizes ranging from 512-1020 bytes (PHP Bug Report).

The successful exploitation of this vulnerability could lead to memory corruption, application crashes, and potentially arbitrary code execution. The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

The vulnerability has been fixed in PHP versions 7.3.16 and 7.4.4. Users are strongly recommended to upgrade to these or later versions. Multiple Linux distributions have also released security updates to address this vulnerability, including Ubuntu in USN-4330-1 and USN-4330-2, and Debian in DSA-4719 (Ubuntu Security Notice, Debian Security Advisory).