CVE-2016-10158 PHP CVE debrief

Who should care

Operators and developers running PHP applications that use the EXIF extension, especially systems that accept or process image uploads and metadata. Security teams should also care because the issue can cause an application crash in supported PHP branches.

Technical summary

The vulnerable function is exif_convert_any_to_int in ext/exif/exif.c. According to the CVE description and NVD record, crafted EXIF data can drive an attempt to divide the minimum representable negative integer by -1, triggering a crash. NVD maps the weakness to CWE-189 (Numeric Error) and lists vulnerable PHP versions up to 5.6.29, 7.0.14, and 7.1.0, with fixes in 5.6.30, 7.0.15, and 7.1.1.

Defensive priority

High for environments that ingest untrusted images or metadata through PHP. The vulnerability does not indicate code execution, but it can reliably affect service availability in exposed applications running impacted versions.

Recommended defensive actions

• Upgrade PHP to a fixed release: 5.6.30, 7.0.15, or 7.1.1, or later supported versions.
• Review applications that parse EXIF data, especially upload and media-processing paths, and prioritize patching those services.
• Track vendor and downstream advisories for confirmation of remediation across your distribution or platform.
• If immediate upgrade is not possible, reduce exposure to untrusted image uploads and monitor for repeated crashes in PHP workers or services.

Evidence notes

The summary is grounded in the NVD record, which cites the PHP changelogs, the PHP bug tracker entry, and the upstream patch commit. The published CVE description states the EXIF integer edge case and the affected version ranges; the NVD CPE criteria further enumerate vulnerable releases. No exploit steps are included.

Official resources