Description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Published: 2026-05-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, passing an encoding name containing an embedded NUL byte to mb_convert_encoding() or related mbstring functions causes the code to misinterpret the result of strncasecmp(). This results in an out-of-bounds read of global memory, which can lead to a crash or disclosure of sensitive data.

Affected Systems

The vulnerability affects PHP installed by the PHP Group. It applies to the PHP 8.4 series prior to release 8.4.21 and the PHP 8.5 series prior to release 8.5.6. Functions impacted include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), mb_detect_order(), and the INI settings mbstring.detect_order and mbstring.http_output.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. An attacker would need to supply a crafted encoding string containing a NUL byte to a reachable mbstring function, which could be achieved if the application accepts user input for encoding names. Once executed, the out-of-bounds read may crash the PHP process or expose data from global memory, but remote code execution is not directly supported by the information provided.

Generated by OpenCVE AI on May 10, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to version 8.4.21 or later, or 8.5.6 or later, where the issue has been fixed.
  • Validate all user-supplied encoding names to ensure they contain no NUL bytes before passing them to mbstring functions.
  • Consider disabling or removing unnecessary mbstring usage, or set mbstring.detect_order and mbstring.http_output to safe defaults if the application does not require them.

Generated by OpenCVE AI on May 10, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sun, 10 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Title Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber'}

Subscriptions

Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-10T04:35:17.328Z

Reserved: 2026-04-11T04:15:03.938Z

Link: CVE-2026-6104

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T06:16:07.397

Modified: 2026-05-10T06:16:07.397

Link: CVE-2026-6104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T07:30:05Z

Weaknesses