Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Published: 2026-05-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PHP functions such as urldecode() pass signed characters to ctype routines like isxdigit, which on platforms that use a signed char default together with an optimized table‑lookup implementation of ctype can trigger an array access with a negative offset. This out‑of‑bounds read, identified as CWE‑125 and CWE‑839, may cause the PHP interpreter to crash or otherwise become unavailable, resulting in a denial of service for applications that invoke the vulnerable routines with untrusted input.

Affected Systems

The flaw exists in PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6. Systems running NetBSD, which employ a signed char default and use optimized ctype table lookups, are explicitly susceptible, but other platforms with similar default settings and ctype implementations may also be affected. Any deployment of PHP in these version ranges on such operating systems is at risk.

Risk and Exploitability

The CVSS score of 6.3 reflects a moderate severity associated primarily with availability loss. An EPSS score of less than 1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread attacks. An attacker would need to supply malformed URL data that is processed by PHP; this can be accomplished remotely if the PHP instance receives untrusted input from a web application, or locally if privileged code can execute the vulnerable function. The exploit path is straightforward once the vulnerable PHP version is in use, and the impact is a forced termination of the PHP process, which restores availability after service restart.

Generated by OpenCVE AI on May 16, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to 8.2.31, 8.3.31, 8.4.21, 8.5.6 or newer, where the signed‑char handling bug has been fixed
  • On NetBSD or similar systems, rebuild PHP compiled with an unsigned‑char flag or disable optimized ctype table lookups to avoid negative offsets
  • Ensure application logic validates or sanitizes URL‑decoded input and avoids calling urldecode on untrusted data until a patch is applied

Generated by OpenCVE AI on May 16, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4586-1 php7.4 security update
Debian DSA Debian DSA DSA-6255-1 php8.2 security update
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-839
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 12 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Php
Php php
CPEs cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Vendors & Products Php
Php php
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Title Out-of-bounds read in urldecode() on NetBSD
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber'}

Subscriptions

Php Php
Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-11T13:06:10.908Z

Reserved: 2026-04-28T04:58:17.457Z

Link: CVE-2026-7258

cve-icon Vulnrichment

Updated: 2026-05-11T13:06:07.848Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-10T05:16:11.360

Modified: 2026-05-12T17:41:43.347

Link: CVE-2026-7258

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-10T04:28:14Z

Links: CVE-2026-7258 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T02:30:13Z

Weaknesses