CVE-2026-6104

EUVD-2026-28979

10.05.2026, 06:16

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Affected Products (NVD)

Vendor	Product	Version
php	php	8.4.0 ≤ 𝑥 < 8.4.21
php	php	8.5.0 ≤ 𝑥 < 8.5.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

php7.4

bullseye	7.4.33-1+deb11u5 fixed
bullseye (security)	7.4.33-1+deb11u11 fixed

php8.2

bookworm	8.2.31-1~deb12u1 fixed
bookworm (security)	8.2.31-1~deb12u1 fixed

php8.4

forky	8.4.22-1 fixed
sid	8.4.22-1 fixed
trixie	vulnerable
trixie (security)	8.4.21-1~deb13u1 fixed

Amazon Linux Releases

Amazon Package

Release

php8.4

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-bcmath

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-bcmath-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-cli

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-cli-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-common

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-common-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-dba

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-dba-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-dbg

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-dbg-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-debugsource

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-devel

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-embedded

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-embedded-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-enchant

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-enchant-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-ffi

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-ffi-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-fpm

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-fpm-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-gd

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-gd-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-gmp

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-gmp-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-intl

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-intl-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-ldap

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-ldap-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-mbstring

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-mbstring-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-modphp

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-modphp-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-mysqlnd

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-mysqlnd-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-odbc

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-odbc-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-opcache

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-opcache-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-pdo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-pdo-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-pgsql

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-pgsql-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-process

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-process-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-snmp

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-snmp-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-soap

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-soap-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-sodium

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-sodium-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-tidy

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-tidy-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-xml

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-xml-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-zip

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

php8.4-zip-debuginfo

Amazon Linux 2023

0:8.4.21-1.amzn2023.0.1

fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53