Skip to main content

PHP EUVDEUVD-2026-28979

| CVE-2026-6104 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-10 php
Medium
Disputed · 6.3 Vendor: php
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (php) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Amber
SUSE
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Red Hat
8.2 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: php

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 10, 2026 - 07:16 EUVD
Analysis Generated
May 10, 2026 - 06:30 vuln.today
CVSS changed
May 10, 2026 - 06:22 NVD
6.3 (MEDIUM)
CVE Published
May 10, 2026 - 04:35 nvd
MEDIUM 6.3

DescriptionCVE.org

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

AnalysisAI

Out-of-bounds read in PHP's mbstring extension allows remote attackers to trigger information disclosure or denial of service via specially crafted encoding names containing NUL bytes passed to mb_convert_encoding() and related functions. Affected versions: PHP 8.4.0-8.4.20 and 8.5.0-8.5.5. The vulnerability stems from unsafe string length comparison logic that misinterprets strncasecmp() return values when NUL bytes are present, potentially exposing global memory contents or crashing the application. No public exploit code identified at time of analysis.

Technical ContextAI

The mbstring extension in PHP provides character encoding conversion and detection functions. The vulnerability exists in how these functions validate encoding names before processing. The root cause (CWE-125: out-of-bounds read) arises from a logic error in string comparison: the code uses strncasecmp() to compare encoding names but incorrectly assumes that a return value of 0 guarantees the strings have equal length. When an encoding name contains an embedded NUL byte (\x00), strncasecmp() truncates comparison at the NUL boundary, returning 0 even though the actual strings differ in length. This causes the function to read beyond the intended buffer boundary, accessing adjacent global memory. The affected functions include mb_convert_encoding() (for charset conversion), mb_detect_encoding() (for charset detection), mb_convert_variables() (batch conversion), and mb_detect_order() (detection priority). Additionally, the mbstring.detect_order and mbstring.http_output INI settings, which internally call these functions, are also affected. CPE designation a:php_group:php covers all PHP installations using the vulnerable mbstring extension.

RemediationAI

Upgrade immediately to PHP 8.4.21 or later, or to PHP 8.5.6 or later. Users on PHP 8.3 or earlier are unaffected and do not require patching. For environments unable to upgrade immediately, implement input validation to reject encoding parameter values containing NUL bytes (\x00 / chr(0) in PHP). This can be enforced at the application level before calling mbstring functions: validate user-supplied encoding names against a whitelist of valid encoding names (e.g., 'UTF-8', 'ISO-8859-1', 'Shift_JIS') or use preg_match('/^[a-zA-Z0-9_-]+$/', $encoding) to reject suspicious characters. Additionally, restrict access to PHP scripts that expose encoding parameters to trusted sources only if feasible, and consider disabling unused mbstring functionality. Note that disabling the mbstring extension entirely has high impact (breaks character encoding features in multi-language applications) but eliminates the attack surface; assess necessity based on application requirements. Security advisory available at https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Legacy 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

EUVD-2026-28979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy