Use After Free Vulnerability in PHP's GC algorithm and unserialize

https://bugs.php.net/bug.php?id=72433 This vulnerability was discovered during the auditing of a vendor on Hackerone and could be successfully remotely exploited. The required conditions are a normal PHP setup with a PHP version >= 5.3 and < 7. Further, it is enough if the remote side uses code like the following: $unserialized = unserialize($user_input); print(serialize($unserialized)); Unfortunately, this code pattern is sometimes still used in software making this vulnerability critical. Please feel free to ask for more technical details if necessary. Thank you for your consideration.