CVE-2026-7259

NULL pointer dereference in mb_regex_encoding

Publication Date	2026-05-10
Severity	Low
Type	Denial of Service
Affected PHP Versions	8.1.0-8.1.34 8.2.0-8.2.30 8.3.0-8.3.30 8.4.0-8.4.20 8.5.0-8.5.5
Fixed Product Versions	ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendPHP 8.5

CVE Details

A mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference when user-controlled input influences the encoding passed to mb_regex_encoding(), resulting in a segmentation fault.

Recommendations

If using mb_regex_encoding(), either do not allow user-supplied encoding values, or check them against a list of known-safe encodings prior to use.

If possible, upgrade to a patched version of PHP.

< View all CVEs