A vulnerability in the PHP unserialize() function was announced at the SyScan 2010 security conference. Proof of concept exploit code has been published publicly. PHP developers have committed a fix to their source code repository (see link below), but have not released an offical fix as of this writing.
PHP 5.2 <= 5.2.13
PHP 5.3 <= 5.3.2
email: david @ sharpesecurity.com