Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
CVE-2026-6104: PHP mbstring Functions Can Crash or Leak Memory
CVE-2026-6104
Summary
PHP versions 8.4 and 8.5 are affected. If a malicious encoding name is passed to certain functions, it can cause a crash or memory leak, potentially exposing sensitive information. Update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| php | php |
>= 8.4.0, < 8.4.21 >= 8.5.0, < 8.5.6 cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
Original title
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrec...
Original description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
nvd CVSS4.0
6.3
Vulnerability type
CWE-125
Out-of-bounds Read
Published: 10 May 2026 · Updated: 23 May 2026 · First seen: 10 May 2026