PT-2026-39446 · Php+1 · Php+1

Ilija Tovilo

Published

2026-05-06

Updated

2026-06-04

CVE-2026-7258

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5

Description Certain functions, including urldecode(), pass signed characters to ctype functions such as isxdigit(). On systems utilizing default signed characters and optimized table-lookup ctype functions, such as NetBSD, this behavior can result in accessing an array with a negative offset, potentially triggering a denial of service.

Recommendations Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

Fix

DoS

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2026:22142

ALSA-2026:22143

ALSA-2026:22305

ALSA-2026:23388

BDU:2026-08591

BIT-LIBPHP-2026-7258

BIT-PHP-2026-7258

BIT-PHP-MIN-2026-7258

CVE-2026-7258

OESA-2026-2342

OESA-2026-2343

OESA-2026-2344

OESA-2026-2420

OESA-2026-2421

OPENSUSE-SU-2026:10747-1

RHSA-2026:14125

Affected Products

Php

Rocky Linux

PT-2026-39446 · Php+1 · Php+1

CVE-2026-7258

Weakness Enumeration

Related Identifiers

Affected Products

References · 78