Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Published: 2026-05-10
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A mismatch between encoding lists in Oniguruma and mbfl causes a NULL pointer dereference that leads to a segmentation fault, causing the PHP process to crash and resulting in a denial of service due to resource exhaustion or unavailability. The weakness is identified as a null pointer dereference (CWE‑476).

Affected Systems

The vulnerability affects PHP releases 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 from the PHP Group. Any web application running one of these affected PHP versions is potentially impacted.

Risk and Exploitability

The CVSS score of 2.1 classifies the severity as low; however, the exploit requires that an attacker can influence the encoding parameter passed to mb_regex_encoding(), which typically occurs when user input reaches this function. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is not currently documented. Despite the low score, an attacker who can inject controlled data into the encoding argument can trigger a fatal crash of the PHP interpreter, leading to denial of service for the affected web service.

Generated by OpenCVE AI on May 10, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PHP to 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later to include the fix.
  • Avoid passing user‑controlled values directly to mb_regex_encoding(); validate or sanitize encoding names before use.
  • If an immediate update is not possible, monitor for service restarts or shortages and consider using temporary isolation of affected services until the patch is applied.

Generated by OpenCVE AI on May 10, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6255-1 php8.2 security update
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Title Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-10T04:13:26.766Z

Reserved: 2026-04-28T05:07:03.118Z

Link: CVE-2026-7259

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T05:16:11.507

Modified: 2026-05-10T05:16:11.507

Link: CVE-2026-7259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:05Z

Weaknesses