CVE-2026-6104
Received Received - Intake
Out-of-Bounds Read in PHP mbstring Functions

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: PHP Group

Description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6104
EUVD
EUVD-2026-28979
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
php php to 8.4.21 (exc)
php php to 8.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in PHP versions before 8.4.21 and 8.5.6 in the mb_convert_encoding() function and related mbstring functions. When an encoding name containing an embedded NUL byte is passed, the code incorrectly assumes that a string comparison returning 0 means the strings have the same length. This leads to an out-of-bounds read of global memory.

Specifically, the issue occurs in the mbfl_name2encoding_ex() function where strncasecmp() matches up to the NUL byte in the attacker-supplied encoding name, then reads beyond the end of a global string into adjacent memory. This can cause a crash or leak sensitive information.

Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), mb_detect_order(), and settings like mbstring.detect_order and mbstring.http_output.

Impact Analysis

This vulnerability can lead to out-of-bounds reads of global memory, which may cause the PHP process to crash or disclose sensitive information from adjacent memory.

While it does not allow direct code execution, the information disclosure could expose sensitive data handled by the application, potentially compromising confidentiality.

Detection Guidance

This vulnerability can be detected by checking the PHP version in use to see if it is before 8.4.21 or 8.5.6, as these versions are affected.

Additionally, detection involves identifying if mbstring functions such as mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), or mb_detect_order() are being called with encoding names containing embedded NUL bytes.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade PHP to version 8.4.21 or later, or 8.5.6 or later, where this vulnerability has been fixed.

Avoid passing encoding names containing embedded NUL bytes to mbstring functions such as mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order().

Review and sanitize inputs that influence mbstring.detect_order and mbstring.http_output INI settings to prevent exploitation.

Compliance Impact

This vulnerability can lead to out-of-bounds reads of global memory, potentially causing information disclosure. Such unintended exposure of sensitive data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the vulnerability is not directly exploitable for code execution, and the extent of information disclosure depends on the specific application context and data handled by the affected PHP functions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart