CVE-2026-6104
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
3th
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
| CWE | CWE-125 |
| Vendor | php group |
| Product | php |
| Published | May 10, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for php group php
Be the first to know when new unknown vulnerabilities affecting php group php are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
PHP Group / PHP
8.4.* < 8.4.21 8.5.* < 8.5.6
References
Credits
🔍 Akshay Jain Ilija Tovilo