CVE-2022-31630

OOB read due to insufficient input validation in imageloadfont()

In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

We have discovered 1,076,326 live websites that are affected by CVE-2022-31630.

Affected Software


Product	PHP
Category	Programming Languages
Vulnerable Versions	from 7.4 before 7.4.33 from 8 before 8.0.25 from 8.1 before 8.1.12
Total Vulnerable Versions	507
Vulnerable Domains	1,076,326 live websites (8.90% of PHP install base)

Common Weakness Enumeration

CWE-131 Incorrect Calculation of Buffer Size

Distribution by Website Rank

The diagram provides a graphic representation of the correlation between the occurrence of CVE-2022-31630 and the relative popularity of websites

Available Reports

Website List

Details

Published - Nov 14, 2022

Credits

[email protected] (reporter)
[email protected] (remediation developer)

CWE

CWE-131

CVE References

CWE References

cwe.mitre.org

Countries

United States	376,823 websites

France	224,575 websites
Russia	50,200 websites
Japan	45,397 websites
Germany	36,204 websites
Netherlands	26,135 websites
GB	25,469 websites
Canada	22,556 websites
Italy	21,091 websites
Spain	20,188 websites

TLDs

.com	511,511 websites
.fr	100,881 websites
.org	60,596 websites
.ru	41,310 websites
.net	34,009 websites
.de	22,035 websites
.nl	20,411 websites
.it	15,972 websites
.com.br	15,094 websites
.pl	14,799 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Geographical Distribution

The distribution of websites across the globe that are exposed to CVE-2022-31630 through included software libraries and plugins.

References

https://bugs.php.net/bug.php?id=81739

Websites affected by CVE-2022-31630

Top websites that are affected by CVE-2022-31630. Please click on the "Contact us" button above to get more information.

Domain	Country	Rank
*.***.pl	Poland	,**
*.***.pm	Saint Pierreand Miquelon	,**
*******.com	Germany	,**
****.org	GB	,**
***************.org	United States	,**
**********.org	United States	,**
*.*.com	United States	,**
******.org	United States	,**
*.********.org	United States	,**
******.com	France	,**

See full domain list