An error occurs within the “php_parserr()” function (ext/standard/dns.c) when handling DNS responses. This error can be exploited to cause a crash or Denial of Service. A malicious DNS server can send a crafted reply that leads to a memcpy operation with a negative size parameter. This aﬀects the function `dns_get_record()` if the DNS query is of type DNS_CAA or DNS_ANY.
A CVE has not been assigned. The vulnerability is reported in version 7.1.25. Other versions may also be aﬀected.
Denial of Service
The ﬂaw is ﬁxed in the source code repository. (Third-party patch)
Vendor has not released any ﬁxes at the time of making of this advisory.