Denial of Service Vulnerability in PHP Affects Multiple Versions
CVE-2026-7259

2.1LOW

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-7259?

A vulnerability exists in PHP due to a mismatch between encoding lists in Oniguruma and mbfl, which can trigger a NULL pointer dereference. This issue leads to a segmentation fault that results in denial of service. The vulnerability is particularly exploitable when an attacker can manipulate the input that influences the encoding passed to the mb_regex_encoding() function. It is critical for applications using vulnerable PHP versions to promptly update to mitigate this risk.

Affected Version(s)

PHP 8.2.*

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-w...

vendor-advisory

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Viet Hoang Luu (The University of Melbourne)

Amirmohammad Pasdar (The University of Melbourne)

Wachiraphan Charoenwet (The University of Melbourne)

Shaanan Cohney (The University of Melbourne)

Toby Murray (The University of Melbourne)

Van-Thuan Pham (The University of Melbourne)

Ilija Tovilo

CVE-2026-7259 Data

JSON