PatchSiren cyber security CVE debrief
CVE-2016-10160 PHP CVE debrief
CVE-2016-10160 is a critical memory-corruption bug in PHP’s PHAR archive parser. A crafted PHAR archive with an alias mismatch can trigger an off-by-one error in phar_parse_pharfile(), potentially causing a denial of service and, according to the CVE description, possibly arbitrary code execution. The NVD record ties the issue to PHP releases prior to 5.6.30 and 7.0.15, and also lists PHP 7.1.0 as vulnerable.
- Vendor
- PHP
- Product
- CVE-2016-10160
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-24
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-24
- Advisory updated
- 2026-05-13
Who should care
Administrators and developers running affected PHP versions, especially systems that process untrusted PHAR archives or accept user-controlled file uploads. Security teams should prioritize internet-facing PHP applications and any platform embedding PHP runtimes.
Technical summary
NVD describes the flaw as an off-by-one error in ext/phar/phar.c within phar_parse_pharfile(). The trigger is a crafted PHAR archive with an alias mismatch. The issue is classified by NVD as CWE-193 (Off-by-one Error) and rated CVSS 3.1 9.8/Critical with network attack vector, low complexity, no privileges required, and no user interaction. NVD’s affected-version criteria include PHP 5.6.0-5.6.29, 7.0.0-7.0.14, and 7.1.0.
Defensive priority
Critical. Treat as urgent for any exposed or broadly deployed PHP runtime that may parse PHAR content from untrusted sources.
Recommended defensive actions
- Upgrade PHP to a fixed release at or beyond 5.6.30, 7.0.15, or the applicable safe release for your branch.
- Inventory applications and services that can ingest or deserialize PHAR archives, including indirect parsing through libraries or file-handling workflows.
- Restrict untrusted file uploads and validate archive types before processing them in PHP.
- Apply vendor and distribution advisories referenced in the CVE record to confirm package-specific fixes.
- Prioritize remediation on internet-facing systems and shared hosting environments that run affected PHP versions.
Evidence notes
All statements are based on the supplied NVD CVE record and its referenced official/vendor links. The NVD description identifies an off-by-one error in phar_parse_pharfile() in ext/phar/phar.c and states that crafted PHAR archives with an alias mismatch may cause DoS or possibly code execution. The NVD CPE criteria list affected PHP ranges as 5.6.0 through 5.6.29, 7.0.0 through 7.0.14, and 7.1.0 through 7.1.0. Vendor-linked references in the corpus include PHP changelog pages, a PHP bug tracker entry, and third-party advisories.
Official resources
-
CVE-2016-10160 CVE record
CVE.org
-
CVE-2016-10160 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Vendor Advisory
Publicly disclosed in the official NVD record on 2017-01-24T21:59:00.227Z. The record was last modified on 2026-05-13T00:24:29.033Z.