CVE-2024-11235: 
PHP vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2024-11235) was discovered in PHP versions 8.3. before 8.3.19 and 8.4. before 8.4.5. The vulnerability occurs when a code sequence involving __set handler or ??= operator and exceptions leads to a use-after-free condition. This vulnerability was discovered and disclosed in March 2025 (PHP Advisory).

The vulnerability stems from a reference counting issue in phprequestshutdown. When an exception handler frees variables via cleanuplivevars for termination, the subsequent phprequestshutdown performs reference counting on these already freed variables using zendgcrefcount(read) and zendgcdelref(write), resulting in use-after-free. The vulnerability has been assigned a CVSS 4.0 Base Score of 9.2 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber (NVD).

If an attacker can control the memory layout leading to this vulnerability, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. Since zendmmfree_small stores metadata in freed memory chunks, this use-after-free vulnerability may allow manipulation of the Zend allocator through reference count behaviors (PHP Advisory).

The vulnerability has been patched in PHP versions 8.3.19 and 8.4.5. Users are advised to upgrade to these patched versions to mitigate the risk. Ubuntu has also released security updates to address this vulnerability in their supported versions (Ubuntu Notice).