CVE-2026-7568 Overview
CVE-2026-7568 is an out-of-bounds read vulnerability [CWE-125] in the metaphone() function implemented in ext/standard/metaphone.c within the PHP interpreter. The function uses a signed int variable to track the position within the input string. When an input string exceeds 2,147,483,647 bytes, a signed integer overflow occurs and triggers undefined behavior. The resulting out-of-bounds read can cause a segmentation fault or expose unrelated process memory. PHP maintainers addressed the issue in versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
Critical Impact
Applications invoking metaphone() on attacker-influenced input larger than 2 GiB can crash the PHP process or read out-of-bounds memory, impacting availability.
Affected Products
- PHP 8.2.x prior to 8.2.31
- PHP 8.3.x prior to 8.3.31
- PHP 8.4.x prior to 8.4.21 and PHP 8.5.x prior to 8.5.6
Discovery Timeline
- 2026-05-10 - CVE-2026-7568 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7568
Vulnerability Analysis
The metaphone() function converts an input string into its phonetic representation. Internally, ext/standard/metaphone.c tracks the current parsing position using a signed integer. When the input length exceeds INT_MAX (2,147,483,647 bytes), incrementing this index produces a signed integer overflow. Signed overflow is undefined behavior in C and yields an unpredictable index value. The function then dereferences memory using that index, reading outside the bounds of the input buffer. Depending on memory layout, this triggers a segmentation fault or exposes adjacent heap contents. The defect maps to CWE-125 (Out-of-Bounds Read).
Root Cause
The root cause is the use of a signed 32-bit counter rather than a width-safe type such as size_t for indexing input bytes. PHP strings can exceed INT_MAX on 64-bit builds, so the index type must accommodate the full string length. The fix replaces the unsafe counter with a sufficiently wide type and validates traversal against the actual string length.
Attack Vector
Exploitation requires an attacker to supply a string larger than 2 GiB to metaphone(). The condition is rare in production workloads because most input pipelines reject or truncate inputs of that size. Web endpoints that accept large uploads or stream data directly into metaphone() are the most likely entry points. Successful triggering produces a process crash and denial of service against the PHP worker handling the request. There is no public proof-of-concept, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is available. Refer to the PHP GitHub Security Advisory GHSA-96wq-48vp-hh57 for the upstream fix and technical commentary.
Detection Methods for CVE-2026-7568
Indicators of Compromise
- Unexpected segmentation faults or SIGSEGV entries in PHP-FPM, Apache mod_php, or CLI worker logs that correlate with calls into metaphone().
- HTTP requests or job payloads containing string fields larger than 2 GiB targeting endpoints that pass user input to phonetic processing routines.
- Sudden restarts of PHP workers or container OOM-adjacent crashes without a matching application-level exception.
Detection Strategies
- Audit application code for direct or indirect calls to metaphone() and identify call sites where input size is not bounded before invocation.
- Inspect web server and reverse proxy logs for abnormally large request bodies or query parameters directed at affected endpoints.
- Correlate PHP crash dumps with request identifiers to determine whether oversized inputs preceded the failure.
Monitoring Recommendations
- Track PHP process exit codes and crash counters in your observability platform and alert on spikes.
- Enforce request body size limits at the web server tier (client_max_body_size in nginx, LimitRequestBody in Apache) and log violations.
- Forward PHP error logs to a centralized log platform and create rules for repeated metaphone stack frames in core dumps.
How to Mitigate CVE-2026-7568
Immediate Actions Required
- Upgrade PHP to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 depending on the branch in use.
- Inventory application code and dependencies for usages of metaphone() and confirm input length is validated before the call.
- Apply request size limits at the reverse proxy or web server tier to reject payloads larger than realistic business needs.
Patch Information
PHP maintainers fixed the integer handling in ext/standard/metaphone.c in PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The advisory and patch references are documented in the PHP GitHub Security Advisory GHSA-96wq-48vp-hh57. Distribution maintainers have issued corresponding package updates for supported branches.
Workarounds
- Enforce strict input length validation before any call to metaphone(), rejecting strings beyond a small fixed maximum.
- Disable code paths that invoke metaphone() on untrusted input until the patched PHP version is deployed.
- Constrain upload and form sizes at the ingress layer to prevent multi-gigabyte payloads from reaching PHP workers.
# Example nginx ingress limit to prevent oversized payloads reaching PHP
http {
client_max_body_size 10m;
client_body_buffer_size 128k;
}
# Verify installed PHP version after patching
php -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
