CVE-2015-6835

The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple phpvarunserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service use-after-free via crafted session content...