Based on the information presented in this article, we recommend the following:
If you are investigating a potential vulnerability in a system running this version, the most critical risks associated with the Zend Engine/PHP 7.4 era involve through memory corruption or unsafe deserialization. Common Attack Vectors for PHP 7.4 / Zend v3.4.0 1. Use-After-Free & Memory Corruption zend engine v3.4.0 exploit
To mitigate the risk of the Zend Engine V3.4.0 exploit, the following steps can be taken: Based on the information presented in this article,
A common vector for these exploits, where data is converted to a string and back, often failing to validate object types during the process. specific CVE specific CVE In early v3
In early v3.4.0 builds, internal functions using ZEND_PARSE_PARAMETERS did not always validate object handlers before casting. By passing a crafted object with a custom get handler into a function expecting a zend_string , the engine would read the object’s property table as if it were a buffer.
: The engine "frees" the old memory but continues to "use" it, allowing an attacker to overwrite that memory space with malicious data.