PatchSiren cyber security CVE debrief
CVE-2026-6104 Unknown Vendor CVE debrief
CVE-2026-6104 is a PHP mbstring vulnerability disclosed on 2026-05-10. In affected PHP 8.4.* and 8.5.* releases, an encoding name containing an embedded NUL byte can make mbstring incorrectly treat a strncasecmp() match as proof that the strings are the same length. That logic error can lead to an out-of-bounds read of global memory, which may result in a crash or information disclosure.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Teams running PHP applications that use mbstring functions such as mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), or mb_detect_order(), especially where encoding names can be influenced by untrusted input or configuration.
Technical summary
According to the NVD description, the flaw is in PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6. When mbstring processes an encoding name containing an embedded NUL byte, it incorrectly assumes that strncasecmp() returning 0 means both strings are the same length. That can cause an out-of-bounds read of global memory in related mbstring code paths, including mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), mb_detect_order(), and the mbstring.detect_order and mbstring.http_output INI settings. NVD assigns CWE-125 (Out-of-bounds Read) and a CVSS 6.3 medium severity score.
Defensive priority
Medium. Prioritize patching if your PHP estate uses mbstring and may accept externally controlled encoding names or related INI configuration. The primary impact described by NVD is crash or information disclosure rather than code execution.
Recommended defensive actions
- Upgrade PHP to 8.4.21 or later, or 8.5.6 or later, as applicable.
- Inventory applications that call mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), or mb_detect_order().
- Review any code or configuration that accepts user-controlled or externally supplied encoding names.
- Treat unexpected mbstring crashes involving encoding handling as potential security events and investigate affected inputs.
- Apply standard input validation and configuration hardening around mbstring.detect_order and mbstring.http_output where feasible.
Evidence notes
This debrief is based only on the supplied NVD record and the referenced official PHP security advisory URL. The published CVE date used for context is 2026-05-10T06:16:07.397Z. No exploit details or unverified remediation claims are included.
Official resources
-
CVE-2026-6104 CVE record
CVE.org
-
CVE-2026-6104 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Public CVE disclosure; first published in the supplied record on 2026-05-10T06:16:07.397Z.