PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10159 PHP CVE debrief

CVE-2016-10159 is a PHP PHAR parsing vulnerability that can be triggered by a truncated manifest entry in a PHAR archive. The result is a denial of service through excessive memory consumption or an application crash; the NVD CVSS vector rates this as network-exploitable, unauthenticated, and availability-only.

Vendor
PHP
Product
CVE-2016-10159
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-24
Original CVE updated
2026-05-13
Advisory published
2017-01-24
Advisory updated
2026-05-13

Who should care

Teams running PHP-based web applications, hosting platforms, container images, Linux distributions that ship PHP, and anyone who accepts or processes user-supplied PHAR archives should care most.

Technical summary

According to the CVE description and NVD record, an integer overflow in phar_parse_pharfile() in ext/phar/phar.c can occur while parsing a truncated manifest entry inside a PHAR archive. NVD lists affected PHP versions as before 5.6.30 and 7.0.x before 7.0.15, with additional vulnerable CPE coverage also present in the record. The practical impact is denial of service only: memory consumption or crash, with no CVE evidence here for confidentiality or integrity impact.

Defensive priority

High for exposed PHP services that may ingest untrusted archives or content. The issue is remotely reachable and requires no privileges or user interaction per the CVSS vector, so patching should be prioritized with normal emergency maintenance for internet-facing PHP deployments.

Recommended defensive actions

  • Upgrade PHP to a fixed release at or above the vendor-patched versions noted in the PHP 5 and PHP 7 changelogs.
  • Apply your distribution or platform vendor updates if you consume packaged PHP builds rather than upstream releases.
  • Review any application paths that accept or unpack PHAR archives from untrusted sources and limit that input where possible.
  • Confirm whether your deployed PHP build falls within the affected version ranges listed by NVD before and after remediation.
  • Track downstream advisories from your OS or hosting vendor to ensure the packaged PHP runtime is fully updated.

Evidence notes

This debrief is based only on the supplied CVE record and linked official/vendor references. The CVE description states an integer overflow in phar_parse_pharfile() can be triggered by a truncated manifest entry in a PHAR archive, causing denial of service via memory consumption or crash. NVD provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and lists affected PHP ranges through 5.6.29 and 7.0.x before 7.0.15, plus an additional PHP 7.1.0 CPE criterion in the record. The CVE was published on 2017-01-24 and the NVD record was modified on 2026-05-13; it is not marked as a KEV item in the supplied data.

Official resources

Publicly disclosed in the CVE record on 2017-01-24T21:59:00.180Z; the NVD record was last modified on 2026-05-13T00:24:29.033Z. The supplied data does not indicate KEV inclusion.