A one-byte file containing only the ‘#’ character, not followed by any
newline, causes php-cgi to do an out of bound read, potentially
disclosing sensitive information present in memory or even triggering
code execution if adjacent memory location contains valid PHP code.
A use-after-free vulnerability in unserialize() allows a remote attacker
to execute arbitrary code. This vulnerability results from an incomplete
fix for CVE-2014-8142.
An attempt to free an uninitialized pointer may result in arbitrary code
execution while parsing exif information from a carefully crafted file.