CVE Catalog

CVE-2026-6104

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, passing an encoding name containing an embedded NUL byte to mb_convert_encoding() or related mbstring functions causes the code to incorrectly assume that strncasecmp() returning 0 means equal string lengths. This leads to an out-of-bounds read of global memory, potentially causing a crash or information disclosure.

Risk Assessment

The organization risks potential disclosure of sensitive data from memory or service disruption due to crashes if an attacker can control the encoding name passed to mbstring functions.

Recommendation

Immediately upgrade PHP to version 8.4.21 or later (for the 8.4 branch) or 8.5.6 or later (for the 8.5 branch).

Original NVD description (English source)

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS