CVE-2026-7258

EUVD-2026-28968
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
phpCNA
6.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
phpphp
8.2.* ≤
𝑥
< 8.2.31
CNA
phpphp
8.3.* ≤
𝑥
< 8.3.31
CNA
phpphp
8.4.* ≤
𝑥
< 8.4.21
CNA
phpphp
8.5.* ≤
𝑥
< 8.5.6
CNA
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
vulnerable
php8.2
bookworm
vulnerable
bookworm (security)
8.2.31-1~deb12u1
fixed
php8.4
forky
vulnerable
sid
8.4.21-1
fixed
trixie
vulnerable
trixie (security)
8.4.21-1~deb13u1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4