CVE-2024-11235: 
PHP vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2024-11235) was discovered in PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5. The vulnerability occurs when a code sequence involving __set handler or ??= operator and exceptions leads to a use-after-free condition. This vulnerability was discovered and disclosed in March 2025 (PHP Advisory).

The vulnerability stems from a reference counting issue in php_request_shutdown. When an exception handler frees variables via cleanup_live_vars for termination, the subsequent php_request_shutdown performs reference counting on these already freed variables using zend_gc_refcount(read) and zend_gc_delref(write), resulting in use-after-free. The vulnerability has been assigned a CVSS 4.0 Base Score of 9.2 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber (NVD).

If an attacker can control the memory layout leading to this vulnerability, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. Since zend_mm_free_small stores metadata in freed memory chunks, this use-after-free vulnerability may allow manipulation of the Zend allocator through reference count behaviors (PHP Advisory).

The vulnerability has been patched in PHP versions 8.3.19 and 8.4.5. Users are advised to upgrade to these patched versions to mitigate the risk. Ubuntu has also released security updates to address this vulnerability in their supported versions (Ubuntu Notice).