PT-2026-39447 · Php+2 · Php+2

Amirmohammad Pasdar

Published

2026-05-07

Updated

2026-06-04

CVE-2026-7259

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5

Description A mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, which results in a segmentation fault and denial of service. This occurs when user-controlled input influences the encoding passed to the mb regex encoding() function.

Recommendations Update to version 8.2.31 or later. Update to version 8.3.31 or later. Update to version 8.4.21 or later. Update to version 8.5.6 or later. As a temporary workaround, restrict user-controlled input from influencing the encoding passed to the mb regex encoding() function.

Fix

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALSA-2026:23388

BIT-LIBPHP-2026-7259

BIT-PHP-2026-7259

BIT-PHP-MIN-2026-7259

CVE-2026-7259

OESA-2026-2340

OESA-2026-2341

OESA-2026-2342

OESA-2026-2343

OESA-2026-2344

OPENSUSE-SU-2026:10747-1

USN-8336-1

Affected Products

Linuxmint

Php

Ubuntu

PT-2026-39447 · Php+2 · Php+2

CVE-2026-7259

Weakness Enumeration

Related Identifiers

Affected Products

References · 72