CVE-2026-7259

MEDIUM

Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

Title source: cna

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (5)

php/php 8.2.0 - 8.2.31

PHP Group/PHP 8.2.* - 8.2.31

PHP Group/PHP 8.3.* - 8.3.31

PHP Group/PHP 8.4.* - 8.4.21

PHP Group/PHP 8.5.* - 8.5.6

Published May 10, 2026

Tracked Since May 10, 2026