CVE-2026-6104
Out-of-Bounds Read in PHP mbstring Functions
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PHP versions before 8.4.21 and 8.5.6 in the mb_convert_encoding() function and related mbstring functions. When an encoding name containing an embedded NUL byte is passed, the code incorrectly assumes that a string comparison returning 0 means the strings have the same length. This leads to an out-of-bounds read of global memory.
Specifically, the issue occurs in the mbfl_name2encoding_ex() function where strncasecmp() matches up to the NUL byte in the attacker-supplied encoding name, then reads beyond the end of a global string into adjacent memory. This can cause a crash or leak sensitive information.
Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), mb_detect_order(), and settings like mbstring.detect_order and mbstring.http_output.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds reads of global memory, which may cause the PHP process to crash or disclose sensitive information from adjacent memory.
While it does not allow direct code execution, the information disclosure could expose sensitive data handled by the application, potentially compromising confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the PHP version in use to see if it is before 8.4.21 or 8.5.6, as these versions are affected.
Additionally, detection involves identifying if mbstring functions such as mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), or mb_detect_order() are being called with encoding names containing embedded NUL bytes.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PHP to version 8.4.21 or later, or 8.5.6 or later, where this vulnerability has been fixed.
Avoid passing encoding names containing embedded NUL bytes to mbstring functions such as mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order().
Review and sanitize inputs that influence mbstring.detect_order and mbstring.http_output INI settings to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to out-of-bounds reads of global memory, potentially causing information disclosure. Such unintended exposure of sensitive data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
However, the vulnerability is not directly exploitable for code execution, and the extent of information disclosure depends on the specific application context and data handled by the affected PHP functions.