PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8994 PHP CVE debrief

CVE-2015-8994 affects PHP 5.x and 7.x deployments that use apache2handler/mod_php or php-fpm with OpCache enabled. In the affected configurations, shared OpCache state in a parent process could let child processes reuse cached script bytecode across user boundaries, weakening the protection normally provided by file permissions. The risk is highest in shared-hosting or privilege-separation setups where different PHP workers run under different EUIDs but still share the same OpCache memory object.

Vendor
PHP
Product
CVE-2015-8994
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-02
Original CVE updated
2026-05-13
Advisory published
2017-03-02
Advisory updated
2026-05-13

Who should care

Operators of PHP 5.x or 7.x servers using OpCache, especially shared-hosting environments, Apache mod_php deployments, and php-fpm setups that change user IDs per site or tenant. Security teams responsible for CMS, multi-tenant, or hosting platforms should treat this as a privilege-separation issue.

Technical summary

NVD describes the flaw as a shared-memory cache handling issue in Zend OpCache. When PHP SAPIs share a common parent process, the parent initializes a shared memory object that child processes inherit and use to cache compiled bytecode. Because cache keys can center on the script filename, and filenames may be known or guessed, bytecode from one user’s script may be retrievable or runnable by another user’s process in shared-parent configurations. NVD maps the issue to CWE-264 and lists affected PHP ranges through 5.6.29 and up to but excluding 7.0.14. The record also notes that mitigation is available in a non-default configuration using opcache.validate_permission=1 on newer fixed releases.

Defensive priority

High for multi-tenant or shared-hosting PHP environments with OpCache enabled. Even though the CVSS vector includes high attack complexity, the confidentiality, integrity, and availability impact is rated high, and the issue directly affects privilege boundaries.

Recommended defensive actions

  • Confirm whether PHP is running under mod_php or php-fpm with OpCache enabled on shared-parent process models.
  • Check deployed versions against the NVD ranges: PHP 5.x through 5.6.29 and PHP 7.x through 7.0.13 are listed as vulnerable.
  • Upgrade to a fixed PHP release and validate vendor guidance for your specific SAPI and packaging.
  • If you cannot immediately upgrade, evaluate the non-default mitigation opcache.validate_permission=1 where supported and appropriate.
  • Review shared-hosting or per-site EUID separation to ensure cache-sharing behavior does not cross tenant boundaries.
  • Audit CMS and application deployments that rely on script file permissions for tenant isolation.
  • Use the official PHP and NVD references to confirm the exact remediation path for your environment.

Evidence notes

This debrief is based on the supplied NVD record and its listed references only. The NVD summary states the affected configurations, the shared-memory behavior, the version ranges, and the non-default mitigation setting. Reference links include PHP internals and oss-security mailing list threads, a PHP bug tracker entry, and a third-party technical write-up. Published date used here is the CVE publication timestamp provided in the corpus: 2017-03-02T06:59:00.167Z.

Official resources

Publicly disclosed through PHP-related mailing list discussions and later recorded by NVD on 2017-03-02. The supplied source set includes PHP internals and oss-security references, plus a PHP bug tracker entry and a third-party technical-ad