Out-of-bounds Read Vulnerability in PHP mbstring Functions
CVE-2026-6104

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-6104?

A vulnerability exists in specific PHP versions where the mb_convert_encoding() and related mbstring functions do not handle encoding names with embedded NUL bytes correctly. This flaw can lead to unintended out-of-bounds reads of global memory, which may result in application crashes or disclosure of sensitive information. Functions affected include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order, along with associated INI settings for mbstring detection and output.

Affected Version(s)

PHP 8.4.* < 8.4.21

PHP 8.5.* < 8.5.6

References

https://github.com/php/php-src/security/advisories/GHSA-7...

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 11, 2026

Credit

Akshay Jain

Ilija Tovilo

CVE-2026-6104 Data

JSON