Home

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

PUBLISHED Reserved 2026-04-28 | Published 2026-05-10 | Updated 2026-05-10 | Assigner php




LOW: 2.1CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber

Problem types

CWE-476 NULL Pointer Dereference

Product status

Default status
affected

8.2.* (semver) before 8.2.31
affected

8.3.* (semver) before 8.3.31
affected

8.4.* (semver) before 8.4.21
affected

8.5.* (semver) before 8.5.6
affected

Credits

Viet Hoang Luu (The University of Melbourne) reporter

Amirmohammad Pasdar (The University of Melbourne) reporter

Wachiraphan Charoenwet (The University of Melbourne) reporter

Shaanan Cohney (The University of Melbourne) reporter

Toby Murray (The University of Melbourne) reporter

Van-Thuan Pham (The University of Melbourne) reporter

Ilija Tovilo remediation developer

References

github.com/...hp-src/security/advisories/GHSA-wm6j-2649-pv75 vendor-advisory

cve.org (CVE-2026-7259)

nvd.nist.gov (CVE-2026-7259)

Download JSON