CVE-2026-7259
NULL Pointer Dereference in PHP
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a NULL pointer dereference in PHP's mbstring extension, specifically in the function php_mb_check_encoding() when called via mb_ereg_search_init().
It occurs because of a mismatch between encoding support in Oniguruma (the regex library) and mbfl (PHP's internal encoding library). Some encodings like iso-8859-11, EUC-JP, EUC-CN, and KOI8 are supported by Oniguruma but not by mbfl.
When mb_regex_encoding('iso-8859-11') is called, mbfl_name2encoding() returns NULL, which is then dereferenced in php_mb_check_encoding(), causing a segmentation fault.
This leads to a denial of service (DoS) if user-controlled input can influence the encoding passed to mb_regex_encoding() and the application uses mbregex search APIs.
How can this vulnerability impact me? :
The vulnerability can cause a segmentation fault resulting in a denial of service (DoS) attack.
If an attacker can control the encoding passed to mb_regex_encoding(), they can trigger the crash, causing the PHP application to become unavailable.
This can disrupt services relying on PHP mbstring functions, potentially affecting availability and reliability of web applications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your PHP environment is using a vulnerable version and if your application uses the mbstring extension's mbregex search APIs with user-controlled input influencing the encoding passed to mb_regex_encoding().
You can verify the PHP version with the following command:
- php -v
If the version is before 8.2.31, 8.3.31, 8.4.21, or 8.5.6, your system is vulnerable.
To detect if your application calls mb_regex_encoding() with potentially unsafe encodings, you may need to audit your code or monitor runtime calls to mb_regex_encoding() with encodings like 'iso-8859-11', 'EUC-JP', 'EUC-CN', or 'KOI8'.
There are no specific network commands provided to detect exploitation attempts, but monitoring application logs for segmentation faults or crashes related to mbstring functions may help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PHP to a patched version: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
If upgrading is not immediately possible, avoid passing user-controlled input to mb_regex_encoding() or mbregex search APIs to prevent triggering the NULL pointer dereference.
Additionally, review and sanitize any encoding parameters in your application to ensure they do not include unsupported encodings such as iso-8859-11, EUC-JP, EUC-CN, or KOI8.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.