Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

INFO

Published Date :

2024-10-08T04:07:33.452Z

Last Modified :

2025-11-03T22:33:15.254Z

Source :

php
AFFECTED PRODUCTS

The following products are affected by CVE-2024-9026 vulnerability.

Vendors Products
Php
  • Php
Redhat
  • Enterprise Linux
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-9026.

URL Resource
https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-9026 cve-icon
https://security.netapp.com/advisory/ntap-20241101-0003/ cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-9026 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact