πŸ” CVE Alert

CVE-2026-7259

UNKNOWN 0.0

Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads toΒ Β a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed toΒ mb_regex_encoding().

CWE CWE-476
Vendor php group
Product php
Published May 10, 2026
Last Updated May 11, 2026
Stay Ahead of the Next One

Get instant alerts for php group php

Be the first to know when new unknown vulnerabilities affecting php group php are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

PHP Group / PHP
8.2.* < 8.2.31 8.3.* < 8.3.31 8.4.* < 8.4.21 8.5.* < 8.5.6

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75

Credits

πŸ” Viet Hoang Luu (The University of Melbourne) πŸ” Amirmohammad Pasdar (The University of Melbourne) πŸ” Wachiraphan Charoenwet (The University of Melbourne) πŸ” Shaanan Cohney (The University of Melbourne) πŸ” Toby Murray (The University of Melbourne) πŸ” Van-Thuan Pham (The University of Melbourne) Ilija Tovilo