A critical vulnerability in PHP’s extract() function enables attackers to trigger memory corruption that can lead to arbitrary native code execution across multiple PHP versions.

The vulnerability stems from a memory management issue that can be triggered by a specific usage pattern involving references and object destructors affecting all major PHP versions including 5.x, 7.x, and 8.x.