PatchSiren cyber security CVE debrief

CVE-2016-10161 PHP CVE debrief

CVE-2016-10161 is a PHP denial-of-service issue in the unserialization path. Crafted serialized data can trigger a buffer over-read in object_common1/finish_nested_data, causing the application to crash. The issue affects PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1.

Vendor: PHP
Product: CVE-2016-10161
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-24
Original CVE updated: 2026-05-13
Advisory published: 2017-01-24
Advisory updated: 2026-05-13

Who should care

Administrators and developers running PHP applications that accept or process serialized data should prioritize this issue, especially for internet-facing services. Distribution maintainers and platform teams should verify package versions and backports.

Technical summary

NVD describes the flaw as a buffer over-read in ext/standard/var_unserializer.c, specifically in object_common1 when crafted serialized input is mishandled during finish_nested_data. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating remote, unauthenticated availability impact with no direct confidentiality or integrity impact. The vulnerable version ranges listed in the corpus end at 5.6.29, 7.0.14, and 7.1.0, with fixes indicated in the linked PHP changelogs and issue tracker.

Defensive priority

High. This is a network-reachable, no-authentication denial-of-service condition that can crash PHP applications. Even without data exposure or code execution, it can disrupt externally reachable services and should be patched promptly.

Recommended defensive actions

Upgrade PHP to a fixed release at or above 5.6.30, 7.0.15, or 7.1.1, or deploy the vendor/distro backport that includes the fix.
Inventory PHP deployments and identify services that accept serialized data from users, APIs, queues, or cached content.
Prioritize internet-facing applications and shared hosting environments where a crash would have broader operational impact.
Review application and server logs for unexpected PHP crashes or repeated failures in serialization-heavy code paths.
Use the linked PHP changelogs and vendor advisories to confirm the exact fixed package version for your distribution.

Evidence notes

The NVD record and CVE description both identify a PHP unserialization buffer over-read leading to application crash. The corpus also provides the affected version ranges, the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and the fix references in php.net changelogs, PHP bug 73825, and the upstream PHP source commit. CVE publishedAt is 2017-01-24T21:59:00.260Z; the supplied modifiedAt/sourceModifiedAt is 2026-05-13T00:24:29.033Z. No KEV entry is present in the supplied data.

Official resources

CVE-2016-10161 CVE record
CVE.org
CVE-2016-10161 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking

Publicly disclosed in the NVD/CVE record on 2017-01-24, with vendor references and an upstream PHP fix linked in the source corpus. The supplied enrichment does not mark it as KEV.