Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
PHP: Malicious Encoding Can Cause Crash or Data Exposure
UBUNTU-CVE-2026-6104
Summary
PHP versions 8.4 and 8.5 have a bug that can cause a crash or allow an attacker to access sensitive information if a malicious encoding is used. This issue affects websites and applications using PHP, and it's recommended to update to the latest version to fix the problem.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Ubuntu:25.10 | canonical | php8.4 | All versions |
| Ubuntu:26.04:LTS | canonical | php8.5 | All versions |
Original title
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrec...
Original description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
osv CVSS4.0
8.1
osv CVSS3.1
9.1
- https://ubuntu.com/security/CVE-2026-6104 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-6104 Third Party Advisory
- https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53 Third Party Advisory
Published: 10 May 2026 · Updated: 26 May 2026 · First seen: 26 May 2026