CVE-2026-6104 Overview
CVE-2026-6104 is an out-of-bounds read vulnerability in PHP's multibyte string (mbstring) extension. The flaw affects PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6. When an encoding name containing an embedded NUL byte reaches mb_convert_encoding() or related mbstring functions, the implementation incorrectly assumes that a zero return from strncasecmp() implies equal string lengths. Attackers can leverage this assumption to read beyond the bounds of global memory. The condition can cause process crashes or expose memory contents, leading to information disclosure. The vulnerability is classified under [CWE-125] Out-of-bounds Read.
Critical Impact
Remote attackers controlling encoding parameters can trigger out-of-bounds reads of global memory, potentially crashing PHP processes or disclosing sensitive information.
Affected Products
- PHP 8.4.* versions prior to 8.4.21
- PHP 8.5.* versions prior to 8.5.6
- Applications using mbstring.detect_order or mbstring.http_output INI settings
Discovery Timeline
- 2026-05-10 - CVE-2026-6104 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-6104
Vulnerability Analysis
The vulnerability resides in PHP's mbstring extension, which handles multibyte character encoding conversions. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(). The mbstring.detect_order and mbstring.http_output INI settings are also impacted.
When the extension parses an encoding name, it uses strncasecmp() to compare the supplied name against known encoding identifiers. A return value of zero from strncasecmp() only indicates that the first N bytes match case-insensitively. It does not guarantee that both strings have the same overall length. The mbstring code treats this result as equivalent to a full string match, allowing crafted input to be processed as a recognized encoding.
An EPSS score of 0.021% reflects low observed exploitation probability, but the network attack surface remains broad for applications that accept user-supplied encoding parameters.
Root Cause
The root cause is improper input validation combined with a flawed length assumption. An encoding name such as "UTF-8\0extra" causes strncasecmp() to return zero against the legitimate "UTF-8" identifier. The code then proceeds with subsequent operations using the attacker-influenced full string length, leading to reads beyond the intended buffer boundaries in global memory.
Attack Vector
Exploitation requires the attacker to inject an encoding name containing an embedded NUL byte into a vulnerable mbstring function call. This is reachable in any PHP application that accepts encoding identifiers from HTTP parameters, headers, request bodies, or other user-controlled inputs. The attack is network-based and requires no authentication or user interaction. Successful exploitation results in either a denial of service through process crash or disclosure of adjacent global memory contents.
No verified public proof-of-concept code is currently available. Refer to the PHP Security Advisory GHSA-74r9-qxhc-fx53 for upstream technical details.
Detection Methods for CVE-2026-6104
Indicators of Compromise
- HTTP requests containing encoding parameter values with embedded NUL bytes (%00) followed by additional characters
- Unexpected PHP-FPM or Apache worker crashes correlated with requests invoking mbstring functions
- Application error logs referencing segmentation faults during mb_convert_encoding() or mb_detect_encoding() calls
- Anomalous responses containing fragments of memory data when encoding parameters are manipulated
Detection Strategies
- Inspect web application firewall logs for URL-encoded NUL bytes (%00) within parameters known to feed mbstring functions
- Monitor PHP error logs for repeated worker process crashes tied to specific request patterns
- Audit application source code for mbstring function calls that accept encoding names from untrusted input
Monitoring Recommendations
- Enable verbose PHP error logging to capture mbstring-related faults
- Deploy runtime application self-protection (RASP) or WAF rules that reject encoding parameters containing NUL bytes
- Track PHP version inventory across all web-facing hosts to identify unpatched instances of 8.4.x and 8.5.x
How to Mitigate CVE-2026-6104
Immediate Actions Required
- Upgrade PHP 8.4.x installations to version 8.4.21 or later
- Upgrade PHP 8.5.x installations to version 8.5.6 or later
- Identify all application entry points that pass user input to mbstring functions and add input validation
- Restart PHP-FPM, Apache, or other PHP-hosting services after applying the patch
Patch Information
The PHP project released fixes in versions 8.4.21 and 8.5.6. The patches correct the length comparison logic following strncasecmp() calls within the mbstring extension. Refer to the PHP Security Advisory GHSA-74r9-qxhc-fx53 for the official patch references and commit details.
Workarounds
- Reject any user-supplied encoding parameter that contains a NUL byte before passing it to mbstring functions
- Restrict accepted encoding values to a hardcoded allowlist using strict equality checks rather than relying on mbstring's internal matching
- Disable mbstring extension on hosts that do not require multibyte encoding functionality
# Configuration example - verify PHP version and validate encoding input
php -v
# Expected output for patched systems: PHP 8.4.21 or PHP 8.5.6 (or later)
# Example input validation in PHP application code:
# if (strpos($encoding, "\0") !== false) { reject_request(); }
# $allowed = ['UTF-8', 'ISO-8859-1', 'ASCII'];
# if (!in_array($encoding, $allowed, true)) { reject_request(); }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
