EIP-2026-104666

PRE-CVE

PHP 5.5.12 - Locale::parseLocale Memory Corruption

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104666. PoCs published by John Leitch.

AI-analyzed exploit summary This is a detailed writeup describing a memory corruption vulnerability in PHP 5.5.12 due to a double-free in the `get_icu_value_internal` function, which can be triggered via `Locale::parseLocale` with a crafted locale string. The writeup includes stack traces and technical analysis but does not contain executable exploit code.

Description

PHP 5.5.12 - Locale::parseLocale Memory Corruption

Exploits (1)

exploitdb WRITEUP

by John Leitch · textdosphp

https://www.exploit-db.com/exploits/35358

View Code ZIP pw:eip

This is a detailed writeup describing a memory corruption vulnerability in PHP 5.5.12 due to a double-free in the `get_icu_value_internal` function, which can be triggered via `Locale::parseLocale` with a crafted locale string. The writeup includes stack traces and technical analysis but does not contain executable exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: PHP 5.5.12

No auth needed

Prerequisites: PHP application exposing `Locale::parseLocale` to untrusted input

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026