CVE-2016-10162 PHP CVE debrief

Who should care

Operators and developers running PHP 7.0.0 through 7.0.14 or PHP 7.1.0, especially services that accept untrusted XML/WDDX input or call wddx_deserialize. Infrastructure teams should also care if a vendor package or distro build includes the affected PHP versions.

Technical summary

The flaw is in php_wddx_pop_element within ext/wddx/wddx.c. When deserializing a WDDX packet, an inapplicable class name can drive the parser into a bad state and dereference a NULL pointer, crashing the process. The NVD weakness mapping is CWE-476 (NULL Pointer Dereference). The published vulnerable range in the supplied record covers PHP 7.0.0-7.0.14 and 7.1.0, with fixes indicated by the vendor changelog and the referenced php-src patch.

Defensive priority

High

Recommended defensive actions

• Upgrade PHP to a fixed release: 7.0.15, 7.1.1, or later.
• Review application code for any use of wddx_deserialize or WDDX parsing on untrusted input.
• If you cannot upgrade immediately, reduce exposure by removing or isolating WDDX handling paths that process external data.
• Confirm whether your operating system vendor has backported the fix; the supplied record references RHSA-2018:1296.
• Use the referenced PHP changelog, bug tracker entry, and php-src commit to verify the exact patched code path in your environment.

Evidence notes

The CVE description supplied in the corpus says the issue is a denial of service via NULL pointer dereference in php_wddx_pop_element, triggered by an inapplicable class name in a wddxPacket XML document and mishandling in a wddx_deserialize call. NVD metadata lists affected PHP versions 7.0.0-7.0.14 and 7.1.0, CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and CWE-476. The CVE was published on 2017-01-24; the 2026-05-13 modified timestamp reflects record updates, not the original vulnerability date.

Official resources