CVE-2026-48979 php-standard-library CVE debrief

Who should care

Developers and administrators using PHP Standard Library (PSL) versions 6.1.0, 6.1.1, or 6.2.0 should be aware of this vulnerability. Specifically, those who directly use Psl/H2/Server to handle untrusted client traffic are at risk. Users of high-level PSL APIs are not affected.

Technical summary

The Psl/H2/Server in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 does not properly validate the total bytes received in DATA frames against the content-length header declared in the HEADERS frame. This violates RFC 9113 §8.1.1 and allows for request smuggling. An attacker can exploit this by sending more DATA bytes than declared to smuggle additional content past size limits or send fewer bytes and close the stream early, causing applications that rely on the declared length to behave incorrectly.

Defensive priority

High

Recommended defensive actions

• Upgrade to PHP Standard Library version 6.1.2 or 6.2.1 immediately.
• Review and update any applications or services using Psl/H2/Server to handle untrusted client traffic.
• Implement additional monitoring for unusual traffic patterns that could indicate exploitation attempts.
• Ensure that applications relying on PSL do not trust declared lengths for DATA frames without proper validation.
• Consider using documented high-level PSL APIs if not already in use.
• Review RFC 9113 §8.1.1 for a deeper understanding of the HTTP/2 specification and potential mitigations.

Evidence notes

This vulnerability is confirmed by the CVE record and details from the National Vulnerability Database (NVD). The CVE was published on 2026-06-17 and modified on 2026-06-18. Fixes are available in versions 6.1.2 and 6.2.1 of the PHP Standard Library.

Official resources