Описание
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
A flaw was found in PHP. When an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, an out-of-bounds read of only 1 byte can occur due to the incorrect processing of string lengths. This issue can cause a denial of service or limited information disclosure.
Отчет
This issue is exploited via a crafted encoding passed to mb_convert_encoding() without sanitization. The mb_detect_encoding(), mb_convert_variables() and mb_detect_order() functions, as well as the mbstring.detect_order and mbstring.http_output INI settings are also vulnerable. This vulnerability allows an attacker to cause an out-of-bounds read of only 1 byte, leading to a denial of service or a limited information disclosure. Due to these reasons, this flaw has been rated with an important severity.
Меры по смягчению последствий
To mitigate this vulnerability, sanitize any input containing a NUL byte before calling the vulnerable mbstring functions. Also, verify your PHP configuration to ensure the vulnerable INI settings are using securely hardcoded encodings.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | php | Not affected | ||
| Red Hat Enterprise Linux 6 | php | Not affected | ||
| Red Hat Enterprise Linux 7 | php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:7.4/php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:8.2/php | Not affected | ||
| Red Hat Enterprise Linux 9 | php | Not affected | ||
| Red Hat Enterprise Linux 9 | php:8.2/php | Not affected | ||
| Red Hat Enterprise Linux 9 | php:8.3/php | Not affected | ||
| Red Hat Hardened Images | php | Not affected | ||
| Red Hat Enterprise Linux 10 | php8.4 | Fixed | RHSA-2026:22649 | 02.06.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an en ...
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
EPSS
8.2 High
CVSS3