PHP functions such as urldecode pass signed characters to ctype routines like isxdigit, which on platforms with default signed char and optimized table‑lookup ctype implementations trigger a negative array offset. This out‑of‑bounds read can cause the PHP interpreter to crash, leading to a denial of service. The weakness is a classic example of CWE‑125, an out‑of‑bounds read that compromises availability. The issue is limited to malformed URL input processed by PHP and does not grant an attacker arbitrary code execution.

The vulnerability exists in PHP releases 8.2.* through 8.2.30, 8.3.* through 8.3.30, 8.4.* through 8.4.20, and 8.5.* through 8.5.5. Systems running NetBSD, which uses a signed char default alongside optimized ctype table lookups, are particularly susceptible. Any deployment of PHP in these versions on compatible operating systems is at risk.

The CVSS score of 6.3 indicates a moderate severity. While the EPSS score is not available, the lack of listing in the CISA KEV catalog suggests limited public exploitation to date. The vulnerability requires an attacker to deliver invalid URL data that is processed by the PHP interpreter; this can be achieved remotely if PHP is exposed to untrusted input, such as web applications, or locally if privileged code can invoke the function. The exploit path is straightforward once the vulnerable PHP version is in use, and the impact is a forced crash of the interpreter. Addressing the flaw through an upgrade or configuration change mitigates the risk effectively.