CVE-2026-7258 Overview
CVE-2026-7258 is an out-of-bounds read vulnerability [CWE-125] affecting multiple PHP versions. The flaw resides in how certain PHP functions, including urldecode(), pass signed char values to ctype functions such as isxdigit(). On systems where the default char type is signed and ctype functions use optimized table lookups, this behavior can result in indexing an array with a negative offset. The condition triggers a denial of service in affected PHP processes. NetBSD is explicitly identified as a vulnerable platform due to its default signed char and lookup-table ctype implementation.
Critical Impact
Remote attackers can trigger a denial of service against PHP applications by sending crafted input to functions that internally invoke ctype routines on signed character data.
Affected Products
- PHP versions 8.2.* before 8.2.31
- PHP versions 8.3.* before 8.3.31, and 8.4.* before 8.4.21
- PHP version 8.5.* before 8.5.6
Discovery Timeline
- 2026-05-10 - CVE-2026-7258 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7258
Vulnerability Analysis
The vulnerability is an out-of-bounds read in PHP's character-classification handling. Functions such as urldecode() parse user-supplied byte sequences and forward individual bytes to ctype helpers like isxdigit(). On platforms where char is signed by default, byte values above 0x7F are sign-extended to negative integers when promoted to int. When the underlying libc implements ctype routines as table lookups, a negative integer is used as an index into the classification table. The read occurs before the actual character class is determined, producing undefined behavior and process termination in many configurations. NetBSD is one platform where this combination of signed char and lookup-table ctype is the default, making the condition reliably reachable.
Root Cause
The root cause is a portability defect in PHP's source code. The C standard requires that the argument to ctype functions be representable as an unsigned char or equal to EOF. PHP code paths feeding urldecode() data into isxdigit() did not cast the byte to unsigned char before the call, allowing negative values on signed-char platforms.
Attack Vector
An attacker delivers an HTTP request containing high-bit bytes within a URL-encoded parameter to any application that calls urldecode() or a similarly affected function. Processing the input triggers the out-of-bounds read and crashes the PHP worker, degrading service availability for a remote, unauthenticated client.
No verified public proof-of-concept code is available. Refer to the PHP Security Advisory GHSA-m8rr-4c36-8gq4 for upstream technical details.
Detection Methods for CVE-2026-7258
Indicators of Compromise
- Unexpected segmentation faults or SIGSEGV entries for PHP-FPM or Apache mod_php worker processes in system logs.
- HTTP 5xx error spikes correlated with requests containing URL-encoded bytes above %7F in query strings or POST bodies.
- Repeated PHP worker restarts on NetBSD or other signed-char platforms after exposure to internet traffic.
Detection Strategies
- Inventory PHP installations and compare runtime versions against the fixed releases 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
- Inspect web access logs for malformed URL-encoded payloads targeting endpoints that call urldecode() on untrusted input.
- Correlate worker crashes with the originating client IP and request body to distinguish probing from legitimate traffic.
Monitoring Recommendations
- Enable core-dump collection for PHP worker processes and alert on new crash signatures in central logging.
- Track PHP-FPM pm.status and request-failure metrics to detect availability degradation early.
- Add a WAF rule to flag requests containing sequences of non-ASCII URL-encoded octets directed at PHP endpoints.
How to Mitigate CVE-2026-7258
Immediate Actions Required
- Upgrade PHP to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 depending on the deployed branch.
- Prioritize patching on NetBSD and any platform built with signed char defaults, where exploitation is reliable.
- Restart PHP-FPM and web server processes after upgrading to ensure the patched binary is loaded.
Patch Information
PHP maintainers released fixed builds in versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The fix ensures bytes are cast to unsigned char before being passed to ctype functions. See the PHP Security Advisory GHSA-m8rr-4c36-8gq4 for commit references.
Workarounds
- Deploy a WAF or reverse-proxy rule that rejects request parameters containing non-ASCII URL-encoded byte sequences when patching cannot be performed immediately.
- Rebuild PHP with the compiler flag -funsigned-char on affected platforms to neutralize the negative-index condition.
- Enable PHP-FPM process recycling with low pm.max_requests to limit availability impact from worker crashes.
# Verify the installed PHP version against fixed releases
php -v
# Example Debian/Ubuntu upgrade path
sudo apt update && sudo apt install --only-upgrade php php-fpm
sudo systemctl restart php8.3-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
