CVE-2019-11048

Public Exploit
Temporary files are not cleaned after OOM when parsing HTTP request data

Description

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

Remediation

Workaround:

  • Setting post_max_size to value significantly lower than the memory limit prevents this issue from being exploited. Disabling file uploads also prevents this issue from happening.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 21.79% Top 5%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory ubuntu.com Vendor Advisory opensuse.org Vendor Advisory debian.org Vendor Advisory debian.org Vendor Advisory php.net Vendor Advisory php.net
Affected: PHP Group PHP
Published at:
Updated at:

References

Link Tags
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/ vendor advisory
https://usn.ubuntu.com/4375-1/ vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html vendor advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html mailing list
https://www.debian.org/security/2020/dsa-4717 vendor advisory
https://www.debian.org/security/2020/dsa-4719 vendor advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
https://bugs.php.net/bug.php?id=78875 vendor advisory issue tracking exploit
https://bugs.php.net/bug.php?id=78876 vendor advisory issue tracking exploit
https://security.netapp.com/advisory/ntap-20200528-0006/
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.tenable.com/security/tns-2021-14

Frequently Asked Questions

What is the severity of CVE-2019-11048?
CVE-2019-11048 has been scored as a medium severity vulnerability.
How to fix CVE-2019-11048?
As a workaround for remediating CVE-2019-11048: Setting post_max_size to value significantly lower than the memory limit prevents this issue from being exploited. Disabling file uploads also prevents this issue from happening.
Is CVE-2019-11048 being actively exploited in the wild?
It is possible that CVE-2019-11048 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~22% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-11048?
CVE-2019-11048 affects PHP Group PHP.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.