CVE-2019-11043
Underflow in PHP-FPM can lead to RCEIn PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
We have discovered 137,319 live websites that are affected by CVE-2019-11043.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 137,319 live websites (1.77% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 68 versions ( 14% of all versions) |
Common Weakness Enumeration
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')Details
- Published - Oct 28, 2019
- Updated - Oct 21, 2025
Credits
- Reported by Emil Lerner.
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2019-11043 United States | 16,946 websites |
 France | 52,619 websites |
 Netherlands | 9,535 websites |
 China | 9,281 websites |
 Russia | 7,516 websites |
 Japan | 5,790 websites |
 Germany | 4,487 websites |
 Poland | 2,708 websites |
 Italy | 2,028 websites |
 Spain | 1,895 websites |
Website Distribution by TLD
Number of websites using CVE-2019-11043| .com | 52,999 websites |
| .fr | 21,903 websites |
| .nl | 7,014 websites |
| .ru | 6,210 websites |
| .net | 3,996 websites |
| .org | 3,995 websites |
| .de | 2,988 websites |
| .be | 2,892 websites |
| .pl | 2,636 websites |
| .it | 1,960 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2019-11043
Top websites that are affected by CVE-2019-11043. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| *********.com | China | *,*** | |
| ****.com | China | *,*** | |
| *****.**.com | China | *,*** | |
| *****.org | United States | *,*** | |
| ********.com | United States | *,*** | |
| ********.com | United States | **,*** | |
| *****.***.tr |  Turkey | **,*** | |
| ********.com | France | **,*** |
FAQ
CVE-2019-11043 is Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in PHP
A total of 137,319 websites have been identified as vulnerable to CVE-2019-11043, based on global website indexing conducted by WebTechSurvey.
The PHP is affected by the CVE-2019-11043 vulnerability.
PHP versions up to 7.3.11 are vulnerable to CVE-2019-11043.
CVE-2019-11043 is resolved in version 7.3.11 of PHP.
References
- https://github.com/neex/phuip-fpizdam
- https://bugs.php.net/bug.php?id=78599
- https://usn.ubuntu.com/4166-1/
- https://www.debian.org/security/2019/dsa-4552
- https://www.debian.org/security/2019/dsa-4553
- https://usn.ubuntu.com/4166-2/
- https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
- https://security.netapp.com/advisory/ntap-20191031-0003/
- https://access.redhat.com/errata/RHSA-2019:3286
- https://access.redhat.com/errata/RHSA-2019:3287
- https://access.redhat.com/errata/RHSA-2019:3299
- https://access.redhat.com/errata/RHSA-2019:3300
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
- https://access.redhat.com/errata/RHSA-2019:3724
- https://access.redhat.com/errata/RHSA-2019:3735
- https://access.redhat.com/errata/RHSA-2019:3736
- https://www.synology.com/security/advisory/Synology_SA_19_36
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
- https://support.apple.com/kb/HT210919
- https://seclists.org/bugtraq/2020/Jan/44
- http://seclists.org/fulldisclosure/2020/Jan/40
- https://access.redhat.com/errata/RHSA-2020:0322
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
- https://www.tenable.com/security/tns-2021-14