[RSS] New writeup: a vulnerability in PHP's extract() function allows attackers to trigger a double-free, which in turn allows arbitrary code execution (native code)

https://ssd-disclosure.com/ssd-advisory-extract-double-free5-x-use-after-free7-x-8-x/

Can't find official identifiers for this, the GitHub advisory link is broken...

@buherator If it’s not in a remote surface (multipart parsing, json, etc) they won’t assign any CVE to it. Would need to check but it’s likely tracked as a functional issue publicly.

@swapgs The weird part is that even the GHSA link is broken. I also skimmed through recent commits, and nothing immediately suspicious came forward, but I guess PHP don't like to advertise security fixes this way either...

@buherator IIRC you get a GHSA ID every time you report something through https://github.com/php/php-src/security/, so this one must have been closed as N/A because it's now in https://github.com/php/php-src/issues/18209.

Anyway it's a nice writeup, and apparently a stable bug that will be useful to bypass disable_functions on a bunch of PHP releases!