CVE-2016-4473: php: Invalid free() instead of efree() in phar_extract_file()

Severity: Critical

CVSS Score: 9.8

/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.