PHP 8.4/8.5 mbstring NUL-byte Encoding OOB Read (fixed 8.4.21/8.5.6)
CVE-2026-6104 Published on May 10, 2026
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Weakness Type
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
Products Associated with CVE-2026-6104
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
PHP Group PHP:- Version 8.4.* and below 8.4.21 is affected.
- Version 8.5.* and below 8.5.6 is affected.