A string of more than 255 characters passed to locale_get_display_name (in the php-intl package) will cause a stack buffer overflow in the ICU library. Upstream issue: https://bugs.php.net/bug.php?id=67397 Upstream patch: https://bugs.php.net/patch-display.php?bug_id=67397&patch=bug67397-patch&revision=latest CVE assignment: https://seclists.org/oss-sec/2016-q4/525 Note that this patch is actually a workaround for CVE-2014-9911 in icu.