Segfault DoS: PHP 8.28.5 via mb_regex_encoding NULL ptr deref
CVE-2026-7259 Published on May 10, 2026
Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2026-7259
stack.watch emails you whenever new vulnerabilities are published in PHP or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
PHP Group PHP:- Version 8.2.* and below 8.2.31 is affected.
- Version 8.3.* and below 8.3.31 is affected.
- Version 8.4.* and below 8.4.21 is affected.
- Version 8.5.* and below 8.5.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.