Integer Overflow Vulnerability in PHP Metaphone Function
CVE-2026-7568

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-7568?

An integer overflow vulnerability exists in the metaphone() function of PHP versions prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6. When a string exceeding 2,147,483,647 bytes is processed, a signed integer overflow occurs, leading to undefined behavior. This can result in an out-of-bounds read which may cause a segmentation fault or unauthorized access to memory, compromising the stability and security of PHP processes.

Affected Version(s)

PHP 8.2.*

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-9...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

Aleksey Solovev (Positive Technologies)

Tim Düsterhus

CVE-2026-7568 Data

JSON