Denial of Service Vulnerability in PHP by The PHP Group
CVE-2026-7258

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-7258?

In specific versions of PHP, vulnerabilities exist where certain functions, like urldecode(), can inadvertently pass signed char values to ctype functions, such as isxdigit(). If a system utilizes default signed char types and optimized ctype functions, particularly on platforms like NetBSD, this may result in access attempts to arrays with negative offsets, potentially leading to service disruptions.

Affected Version(s)

PHP NetBSD 8.2.*

PHP NetBSD 8.2.* < 8.2.31

PHP NetBSD 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-m...

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

xfourj

Ilija Tovilo

CVE-2026-7258 Data

JSON