CVE-2026-7258
Integer Overflow in PHP Leading to DoS Vulnerability
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7258 is a vulnerability in PHP's urldecode() function caused by improper handling of signed char values passed to ctype functions like isxdigit(). Specifically, in certain PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6, the function php_url_decode_ex() calls isxdigit() with negative integer values due to incorrect type casting.
On systems such as NetBSD, where ctype functions use optimized table lookups and chars are signed by default, this leads to an out-of-bounds read when accessing arrays with negative offsets. This can cause a segmentation fault and trigger a denial of service.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service on affected systems running vulnerable PHP versions. An attacker can exploit this flaw without any privileges or user interaction, leading to a crash of the PHP process due to an out-of-bounds read and segmentation fault.
The primary impact is on system availability, potentially disrupting services that rely on PHP's urldecode() function.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a denial of service caused by an out-of-bounds read in PHP's urldecode() function, which can lead to segmentation faults on affected systems.
To detect if your system is vulnerable, you can check the installed PHP version to see if it is prior to the patched versions (8.2.31, 8.3.31, 8.4.21, or 8.5.6).
- Run the command: php -v
If your PHP version is vulnerable, you might observe crashes or segmentation faults when applications use the urldecode() function, especially on platforms like NetBSD.
You can also monitor system logs for segmentation faults related to PHP processes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PHP to a patched version where this vulnerability is fixed.
- Upgrade PHP to version 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
Until the upgrade is applied, consider limiting exposure by restricting access to PHP services, especially on vulnerable platforms like NetBSD.
Monitor your systems for crashes or unusual behavior related to PHP processes and restart services as needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability primarily causes a denial of service by triggering an out-of-bounds read in PHP's urldecode() function on certain platforms. It affects system availability but does not directly involve unauthorized access to sensitive data or personal information.
There is no information provided that links this vulnerability to violations of common standards or regulations such as GDPR or HIPAA, which focus on data privacy and protection.