Platform
php
Component
php
Fixed in
7.2.29
7.3.16
7.4.4
CVE-2020-7064 describes an uninitialized memory read vulnerability within the PHP exifreaddata() function. This flaw allows a malicious actor to craft EXIF data that, when processed, can cause PHP to read one byte of uninitialized memory, potentially exposing sensitive information or leading to application crashes. The vulnerability impacts PHP versions 7.2.x prior to 7.2.9, 7.3.x prior to 7.3.16, and 7.4.x prior to 7.4.4. A fix is available in PHP 7.4.4.
Successful exploitation of CVE-2020-7064 could allow an attacker to read sensitive data from the PHP process's memory. While the vulnerability only allows reading a single byte, repeated exploitation or chaining with other vulnerabilities could potentially reveal more information. The impact is primarily information disclosure, but a crash could also disrupt service availability. This vulnerability is particularly concerning in environments where PHP is used to process user-uploaded images, as attackers could inject malicious EXIF data through image uploads. The potential for information disclosure makes this a significant security risk, especially in applications handling sensitive data like personal information or financial records.
CVE-2020-7064 was publicly disclosed on April 1, 2020. While no active exploitation campaigns have been definitively linked to this vulnerability, the potential for information disclosure makes it a target for opportunistic attackers. No public proof-of-concept exploits have been widely released, but the vulnerability's nature makes it relatively straightforward to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
2.33% (85% percentile)
CVSS Vector
The primary mitigation for CVE-2020-7064 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.4 or later to eliminate the vulnerability. If upgrading is not immediately feasible, consider implementing input validation to sanitize EXIF data before processing it with exifreaddata(). This can involve stripping potentially malicious EXIF tags or limiting the size of EXIF data. Web Application Firewalls (WAFs) configured to inspect EXIF data for anomalies could also provide a layer of defense. After upgrading, confirm the fix by attempting to process a known malicious EXIF file and verifying that no uninitialized memory is read.
Update to PHP version 7.2.29, 7.3.16 or 7.4.4 or higher. This will correct the uninitialized memory read vulnerability in the exif_read_data() function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7064 is a medium severity vulnerability in PHP where malicious EXIF data can trigger an uninitialized memory read, potentially leading to information disclosure or crashes.
You are affected if you are using PHP versions 7.2.0–7.2.8, 7.3.0–7.3.15, or 7.4.0–7.4.3. Upgrade to a patched version to mitigate the risk.
Upgrade to PHP 7.4.4 or later. If immediate upgrade is not possible, implement input validation to sanitize EXIF data.
While no active exploitation campaigns have been definitively linked, the vulnerability's nature makes it a potential target for attackers.
Refer to the PHP security advisory: https://security.php.net/CVE-2020-7064
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.