CVE-2026-7258

Denial of Service via improper handling of signed characters in ctype functions

Publication Date 2026-05-10
Severity Moderate
Type Denial of Service
Affected PHP Versions
  • 7.1.0-7.1.33
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.34
  • 8.2.0-8.2.30
  • 8.3.0-8.3.30
  • 8.4.0-8.4.20
  • 8.5.0-8.5.5
Fixed Product Versions
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendPHP 8.5
  • ZendServer 2021.4.5

CVE Details

A flaw was found in PHP. Some functions, including urldecode(), incorrectly pass signed characters to character type (ctype) functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service (DoS), making the affected PHP application or system unavailable.

Recommendations

Do not trust user-submitted URLs; if you must, consider using rawurldecode() or filter_var() with the FILTER_SANITIZE_URL flag instead of urldecode().

Users should update to a PHP version patched against this vulnerability.