CVE-2026-7259
Received Received - Intake
NULL Pointer Dereference in PHP

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: PHP Group

Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-7259
EUVD
EUVD-2026-28969
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
php php to 8.2.31 (exc)
php php to 8.3.31 (exc)
php php to 8.4.21 (exc)
php php to 8.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a NULL pointer dereference in PHP's mbstring extension, specifically in the function php_mb_check_encoding() when called via mb_ereg_search_init().

It occurs because of a mismatch between encoding support in Oniguruma (the regex library) and mbfl (PHP's internal encoding library). Some encodings like iso-8859-11, EUC-JP, EUC-CN, and KOI8 are supported by Oniguruma but not by mbfl.

When mb_regex_encoding('iso-8859-11') is called, mbfl_name2encoding() returns NULL, which is then dereferenced in php_mb_check_encoding(), causing a segmentation fault.

This leads to a denial of service (DoS) if user-controlled input can influence the encoding passed to mb_regex_encoding() and the application uses mbregex search APIs.

Impact Analysis

The vulnerability can cause a segmentation fault resulting in a denial of service (DoS) attack.

If an attacker can control the encoding passed to mb_regex_encoding(), they can trigger the crash, causing the PHP application to become unavailable.

This can disrupt services relying on PHP mbstring functions, potentially affecting availability and reliability of web applications.

Detection Guidance

This vulnerability can be detected by checking if your PHP environment is using a vulnerable version and if your application uses the mbstring extension's mbregex search APIs with user-controlled input influencing the encoding passed to mb_regex_encoding().

You can verify the PHP version with the following command:

  • php -v

If the version is before 8.2.31, 8.3.31, 8.4.21, or 8.5.6, your system is vulnerable.

To detect if your application calls mb_regex_encoding() with potentially unsafe encodings, you may need to audit your code or monitor runtime calls to mb_regex_encoding() with encodings like 'iso-8859-11', 'EUC-JP', 'EUC-CN', or 'KOI8'.

There are no specific network commands provided to detect exploitation attempts, but monitoring application logs for segmentation faults or crashes related to mbstring functions may help identify exploitation.

Mitigation Strategies

The immediate mitigation step is to upgrade PHP to a patched version: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.

If upgrading is not immediately possible, avoid passing user-controlled input to mb_regex_encoding() or mbregex search APIs to prevent triggering the NULL pointer dereference.

Additionally, review and sanitize any encoding parameters in your application to ensure they do not include unsupported encodings such as iso-8859-11, EUC-JP, EUC-CN, or KOI8.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7259. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart