There is no access counters for _SESSION and HTTP_SESSION_VARS variables, making it possible to trigger use-after-free conditions by unsetting these variables. In addition, it's possible to deserealize these variables.
vulners.com/securityvulns/securityvulns:doc:16480
vulners.com/securityvulns/securityvulns:doc:16481
vulners.com/securityvulns/securityvulns:doc:16482