CVE-2026-7568

EUVD-2026-28972

10.05.2026, 05:16

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
php	CNA	6.3 MEDIUM	NETWORK	HIGH	NONE	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
php	php	8.2.* ≤ 𝑥 < 8.2.31	CNA
php	php	8.3.* ≤ 𝑥 < 8.3.31	CNA
php	php	8.4.* ≤ 𝑥 < 8.4.21	CNA
php	php	8.5.* ≤ 𝑥 < 8.5.6	CNA

Debian Releases

Debian Product

Codename

php7.4

bullseye	vulnerable
bullseye (security)	vulnerable

php8.2

bookworm	vulnerable
bookworm (security)	8.2.31-1~deb12u1 fixed

php8.4

forky	vulnerable
sid	8.4.21-1 fixed
trixie	vulnerable
trixie (security)	8.4.21-1~deb13u1 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] PHP: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um beliebigen Programmcode auszuführen, SQL-Injection- oder Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-07T22:00:00+00:00

References

https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57