Home

Description

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

PUBLISHED Reserved 2026-04-11 | Published 2026-05-10 | Updated 2026-05-10 | Assigner php




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber

Problem types

CWE-125 Out-of-bounds Read

Product status

Default status
unaffected

8.4.* (semver) before 8.4.21
affected

8.5.* (semver) before 8.5.6
affected

Credits

Akshay Jain reporter

Ilija Tovilo remediation developer

References

github.com/...hp-src/security/advisories/GHSA-74r9-qxhc-fx53 vendor-advisory

cve.org (CVE-2026-6104)

nvd.nist.gov (CVE-2026-6104)

Download JSON