CVE-2026-7259

EUVD-2026-28969
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
phpCNA
2.1 LOW
NETWORK
HIGH
NONE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
phpphp
8.2.* ≤
𝑥
< 8.2.31
CNA
phpphp
8.3.* ≤
𝑥
< 8.3.31
CNA
phpphp
8.4.* ≤
𝑥
< 8.4.21
CNA
phpphp
8.5.* ≤
𝑥
< 8.5.6
CNA
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
vulnerable
php8.2
bookworm
vulnerable
bookworm (security)
8.2.31-1~deb12u1
fixed
php8.4
forky
vulnerable
sid
8.4.21-1
fixed
trixie
vulnerable
trixie (security)
8.4.21-1~deb13u1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75