CVE-2026-7258

NameCVE-2026-7258
DescriptionIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4586-1, DSA-6255-1, DSA-6256-1
Debian Bugs1136054

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.4 (PTS)bullseye7.4.33-1+deb11u5vulnerable
bullseye (security)7.4.33-1+deb11u11fixed
php8.2 (PTS)bookworm, bookworm (security)8.2.31-1~deb12u1fixed
php8.4 (PTS)trixie8.4.16-1~deb13u1vulnerable
trixie (security)8.4.21-1~deb13u1fixed
forky, sid8.4.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.4sourcebullseye7.4.33-1+deb11u11DLA-4586-1
php7.4source(unstable)(unfixed)
php8.2sourcebookworm8.2.31-1~deb12u1DSA-6255-1
php8.2source(unstable)(unfixed)
php8.4sourcetrixie8.4.21-1~deb13u1DSA-6256-1
php8.4source(unstable)8.4.21-11136054

Notes

https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4
https://github.com/php/php-src/commit/b8dad9314c1e225a1a2d50608e4e7d478c34365c
https://github.com/php/php-src/commit/dc9e21b81c143faa9677bb0cf157e83960a24d0d
https://github.com/php/php-src/commit/398b7dabfbd2e8f4f4ed2065dbcf3e3794e8ca47
https://github.com/php/php-src/commit/a38418777f65780d9d622197677e90567690fc07
Search for package or bug name: Reporting problems