CVE-2026-7258
Received Received - Intake
Integer Overflow in PHP Leading to DoS Vulnerability

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: PHP Group

Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-7258
EUVD
EUVD-2026-28968
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
php php to 8.2.31 (exc)
php php to 8.3.31 (exc)
php php to 8.4.21 (exc)
php php to 8.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7258 is a vulnerability in PHP's urldecode() function caused by improper handling of signed char values passed to ctype functions like isxdigit(). Specifically, in certain PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6, the function php_url_decode_ex() calls isxdigit() with negative integer values due to incorrect type casting.

On systems such as NetBSD, where ctype functions use optimized table lookups and chars are signed by default, this leads to an out-of-bounds read when accessing arrays with negative offsets. This can cause a segmentation fault and trigger a denial of service.

Impact Analysis

This vulnerability can impact you by causing a denial of service on affected systems running vulnerable PHP versions. An attacker can exploit this flaw without any privileges or user interaction, leading to a crash of the PHP process due to an out-of-bounds read and segmentation fault.

The primary impact is on system availability, potentially disrupting services that rely on PHP's urldecode() function.

Detection Guidance

This vulnerability manifests as a denial of service caused by an out-of-bounds read in PHP's urldecode() function, which can lead to segmentation faults on affected systems.

To detect if your system is vulnerable, you can check the installed PHP version to see if it is prior to the patched versions (8.2.31, 8.3.31, 8.4.21, or 8.5.6).

  • Run the command: php -v

If your PHP version is vulnerable, you might observe crashes or segmentation faults when applications use the urldecode() function, especially on platforms like NetBSD.

You can also monitor system logs for segmentation faults related to PHP processes.

Mitigation Strategies

The immediate mitigation step is to upgrade PHP to a patched version where this vulnerability is fixed.

  • Upgrade PHP to version 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.

Until the upgrade is applied, consider limiting exposure by restricting access to PHP services, especially on vulnerable platforms like NetBSD.

Monitor your systems for crashes or unusual behavior related to PHP processes and restart services as needed.

Compliance Impact

The vulnerability primarily causes a denial of service by triggering an out-of-bounds read in PHP's urldecode() function on certain platforms. It affects system availability but does not directly involve unauthorized access to sensitive data or personal information.

There is no information provided that links this vulnerability to violations of common standards or regulations such as GDPR or HIPAA, which focus on data privacy and protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart