CVE-2026-7259 Overview
CVE-2026-7259 is a NULL pointer dereference vulnerability [CWE-476] in PHP affecting the mb_regex_encoding() function. The flaw stems from a mismatch between encoding lists in the Oniguruma regex library and the mbfl (multibyte filter library) component. When user-controlled input influences the encoding argument passed to mb_regex_encoding(), the resulting dereference triggers a segmentation fault and denial of service in the PHP process.
The issue affects PHP versions 8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21, and 8.5.x before 8.5.6.
Critical Impact
An attacker who controls the encoding string passed to mb_regex_encoding() can crash the PHP worker process, causing a denial of service condition on affected web applications.
Affected Products
- PHP 8.2.x prior to 8.2.31
- PHP 8.3.x prior to 8.3.31
- PHP 8.4.x prior to 8.4.21
- PHP 8.5.x prior to 8.5.6
Discovery Timeline
- 2026-05-10 - CVE-2026-7259 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7259
Vulnerability Analysis
The vulnerability resides in PHP's multibyte string extension (ext/mbstring). PHP's mb_regex_encoding() function sets the character encoding used by multibyte regular expression functions. Internally, PHP relies on two encoding subsystems: Oniguruma for regex matching and mbfl for character conversion.
The encoding name resolution differs between these two components. An encoding string accepted by one lookup table may return a NULL pointer in the other. When the code path proceeds to dereference that NULL pointer, the PHP process terminates with a segmentation fault. The flaw is categorized as [CWE-476] NULL Pointer Dereference.
Applications that pass user-supplied data, such as HTTP headers or query parameters, into mb_regex_encoding() without validation are exposed. Each successful trigger kills the PHP worker handling the request, degrading availability of the application.
Root Cause
The defect is a logic inconsistency between encoding registries. Oniguruma recognizes certain encoding aliases that mbfl does not, and vice versa. PHP code that queries one registry assumes the other will return a matching, non-NULL pointer for the same input. This assumption fails for specific edge-case encoding names, producing the dereference.
Attack Vector
Exploitation requires an attacker to reach a code path where untrusted input flows into the encoding argument of mb_regex_encoding(). This is a network-reachable issue, but it requires user interaction or specific application logic that forwards input into the function. Successful exploitation yields denial of service against the PHP worker. The advisory does not indicate information disclosure or code execution impact.
No public proof-of-concept exploit is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.052%.
No verified exploitation code is published. See the PHP Security Advisory GHSA-wm6j-2649-pv75 for upstream technical detail.
Detection Methods for CVE-2026-7259
Indicators of Compromise
- Repeated PHP-FPM or Apache worker crashes with segmentation fault signatures in system logs.
- Web server error logs showing child process exited on signal 11 correlated with requests that include unusual encoding parameters.
- HTTP requests containing atypical encoding names targeting endpoints that invoke mb_regex_encoding().
Detection Strategies
- Audit application source code for calls to mb_regex_encoding() and trace whether the argument originates from untrusted input.
- Inspect web access logs for anomalous values in parameters or headers that feed multibyte regex configuration.
- Monitor PHP version inventory across hosts to identify instances running versions earlier than 8.2.31, 8.3.31, 8.4.21, or 8.5.6.
Monitoring Recommendations
- Alert on spikes in PHP worker restarts or segmentation faults reported by the operating system.
- Forward PHP-FPM, Apache, and Nginx error logs to a central log platform for correlation against request patterns.
- Track outbound 5xx response rates from PHP-backed endpoints as an early indicator of crash-driven denial of service.
How to Mitigate CVE-2026-7259
Immediate Actions Required
- Upgrade PHP to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 or later, depending on the active branch.
- Identify all application code that calls mb_regex_encoding() with input derived from HTTP requests, file uploads, or other untrusted sources.
- Apply an allowlist of known-good encoding names before invoking mb_regex_encoding().
Patch Information
The PHP project addressed the vulnerability in PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Refer to the PHP Security Advisory GHSA-wm6j-2649-pv75 for the upstream fix details and commit references.
Workarounds
- Validate the encoding argument against a hardcoded list of supported encodings such as UTF-8, SJIS, or EUC-JP before calling mb_regex_encoding().
- Wrap calls to mb_regex_encoding() in input sanitization routines that reject unknown or malformed encoding names.
- Configure PHP-FPM to limit worker restart storms and rate-limit requests to endpoints that accept encoding parameters.
# Verify installed PHP version
php -v
# Example allowlist check before calling mb_regex_encoding()
# (pseudocode for application-layer mitigation)
# $allowed = ['UTF-8', 'SJIS', 'EUC-JP', 'ASCII'];
# if (in_array($input, $allowed, true)) { mb_regex_encoding($input); }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
