{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7259","assignerOrgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","state":"PUBLISHED","assignerShortName":"php","dateReserved":"2026-04-28T05:07:03.118Z","datePublished":"2026-05-10T04:13:26.766Z","dateUpdated":"2026-05-11T13:13:50.416Z"},"containers":{"cna":{"providerMetadata":{"orgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","shortName":"php","dateUpdated":"2026-05-10T04:13:26.766Z"},"title":"Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()","datePublic":"2026-05-07T00:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","type":"CWE"}]}],"affected":[{"vendor":"PHP Group","product":"PHP","packageName":"mbstring","versions":[{"status":"affected","version":"8.2.*","lessThan":"8.2.31","versionType":"semver"},{"status":"affected","version":"8.3.*","lessThan":"8.3.31","versionType":"semver"},{"status":"affected","version":"8.4.*","lessThan":"8.4.21","versionType":"semver"},{"status":"affected","version":"8.5.*","lessThan":"8.5.6","versionType":"semver"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().","supportingMedia":[{"type":"text/html","base64":false,"value":"In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding()."}]}],"references":[{"url":"https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"AMBER","version":"4.0","baseSeverity":"LOW","baseScore":2.1,"vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber"}}],"credits":[{"lang":"en","value":"Viet Hoang Luu (The University of Melbourne)","type":"reporter"},{"lang":"en","value":"Amirmohammad Pasdar (The University of Melbourne)","type":"reporter"},{"lang":"en","value":"Wachiraphan Charoenwet (The University of Melbourne)","type":"reporter"},{"lang":"en","value":"Shaanan Cohney (The University of Melbourne)","type":"reporter"},{"lang":"en","value":"Toby Murray (The University of Melbourne)","type":"reporter"},{"lang":"en","value":"Van-Thuan Pham (The University of Melbourne)","type":"reporter"},{"lang":"en","value":"Ilija Tovilo","type":"remediation developer"}],"source":{"advisory":"GHSA-wm6j-2649-pv75","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T13:12:58.875843Z","id":"CVE-2026-7259","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T13:13:50.416Z"}}]}}