The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. Upstream issue: https://github.com/php/php-src/pull/2396
Created php tracking bugs for this issue: Affects: fedora-all [bug 1443534]
Upstream bug: https://bugs.php.net/bug.php?id=74146 I agree with the vendor's assessment: this is not a security issue. It is a crash triggered by executing (essentially) arbitrary PHP code. Taking an untrusted value from the user and putting it in `declare(ticks=%s)` is not something done in practice, as it is likely to expose your system to denial of service even without this bug.