CVE-2026-7259 LOW

CVE-2026-7259: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

Vendor Php Group

Product PHP

Weakness CWE-476

Published May 10, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

2.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber

What the vulnerability does

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

Key dates

Disclosure timeline

May 10, 2026 CVE published

May 11, 2026 Record updated

Identifiers

CVE CVE-2026-7259

CWE CWE-476

CVSS 2.1 / LOW

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.31

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.31

Vendor Php Group

Product PHP

Affected ≥ 8.4.* and < 8.4.21

Vendor Php Group

Product PHP

Affected ≥ 8.5.* and < 8.5.6