CVE-2026-6104

EUVD-2026-28979

10.05.2026, 06:16

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
php	CNA	6.3 MEDIUM	NETWORK	LOW	NONE	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
php	php	8.4.* ≤ 𝑥 < 8.4.21	CNA
php	php	8.5.* ≤ 𝑥 < 8.5.6	CNA

Debian Releases

Debian Product

Codename

php7.4

bullseye	7.4.33-1+deb11u5 fixed
bullseye (security)	7.4.33-1+deb11u10 fixed

php8.2

bookworm	8.2.29-1~deb12u1 fixed
bookworm (security)	8.2.31-1~deb12u1 fixed

php8.4

forky	vulnerable
sid	8.4.21-1 fixed
trixie	vulnerable
trixie (security)	8.4.21-1~deb13u1 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] PHP: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um beliebigen Programmcode auszuführen, SQL-Injection- oder Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-07T22:00:00+00:00

References

https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53