CVE-2026-7259 - Vulnerability Details

- Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

Published: 2026-05-10

Score: 2.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A mismatch between encoding lists in Oniguruma and mbfl causes a NULL pointer dereference that leads to a segmentation fault, causing the PHP process to crash and resulting in a denial of service due to resource exhaustion or unavailability. The weakness is identified as a null pointer dereference (CWE‑476).

Affected Systems

The vulnerability affects PHP releases 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 from the PHP Group. Any web application running one of these affected PHP versions is potentially impacted.

Risk and Exploitability

The CVSS score of 2.1 classifies the severity as low; however, the exploit requires that an attacker can influence the encoding parameter passed to mb_regex_encoding(), which typically occurs when user input reaches this function. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is not currently documented. Despite the low score, an attacker who can inject controlled data into the encoding argument can trigger a fatal crash of the PHP interpreter, leading to denial of service for the affected web service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PHP Group

PHP

affected

Version	Status	Constraints
`8.2.*`	affected	< 8.2.31
`8.3.*`	affected	< 8.3.31
`8.4.*`	affected	< 8.4.21
`8.5.*`	affected	< 8.5.6

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

No data.

Vendor Product Confidence Versions

Php Group

Php

100%

Version	Status	Scheme	Platform
`[8.2.0,8.2.31)`	affected	semver	—
`[8.3.0,8.3.31)`	affected	semver	—
`[8.4.0,8.4.21)`	affected	semver	—
`[8.5.0,8.5.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update PHP to 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later to include the fix.
Avoid passing user‑controlled values directly to mb_regex_encoding(); validate or sanitize encoding names before use.
If an immediate update is not possible, monitor for service restarts or shortages and consider using temporary isolation of affected services until the patch is applied.

Generated by OpenCVE AI on May 10, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6255-1	php8.2 security update
Debian DSA	DSA-6256-1	php8.4 security update
Ubuntu USN	USN-8336-1	PHP vulnerabilities

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75
https://nvd.nist.gov/vuln/detail/CVE-2026-7259
https://www.cve.org/CVERecord?id=CVE-2026-7259

History

Sat, 30 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-7259 https://www.cve.org/CVERecord?id=CVE-2026-7259
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 12 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php Php php
CPEs		cpe:2.3:a:php:php::::::::
Vendors & Products		Php Php php
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 10 May 2026 06:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php Group Php Group php
Vendors & Products		Php Group Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Title		Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
Weaknesses		CWE-476
References		https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75
Metrics		cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber'}`

Subscriptions

Php Php

Php Group Php

MITRE

Status: PUBLISHED

Assigner: php

Published: 2026-05-10T04:13:26.766Z

Updated: 2026-05-11T13:13:50.416Z

Reserved: 2026-04-28T05:07:03.118Z

Link: CVE-2026-7259

Vulnrichment

Updated: 2026-05-11T13:13:46.335Z

NVD

Status : Analyzed

Published: 2026-05-10T05:16:11.507

Modified: 2026-05-12T17:40:38.567

Link: CVE-2026-7259

Redhat

Severity : Moderate

Publid Date: 2026-05-10T04:13:26Z

Links: CVE-2026-7259 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-10T06:00:05Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object