PatchSiren cyber security CVE debrief
CVE-2026-7259 Unknown Vendor CVE debrief
CVE-2026-7259 is a low-severity PHP denial-of-service issue. In affected PHP releases, a mismatch between Oniguruma and mbfl encoding lists can lead to a NULL pointer dereference and segmentation fault when user-controlled input can influence the encoding passed to mb_regex_encoding(). The practical risk is application crash rather than code execution or data loss, but exposed services can still suffer availability impact.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
PHP application owners, framework maintainers, and operators of services that use mbstring or mb_regex_encoding() with any user-influenced encoding value. Systems running PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, or 8.5.* before 8.5.6 should be checked first.
Technical summary
The vulnerability is described as a mismatch between the encoding lists used by Oniguruma and mbfl in PHP. Under the affected conditions, calling mb_regex_encoding() with an encoding influenced by user-controlled input can cause a NULL pointer dereference, resulting in a segmentation fault. The CVSS vector in the supplied record reflects low availability impact and requires user interaction / application exposure conditions.
Defensive priority
Patch promptly if your application accepts or derives mb_regex_encoding() input from users or external requests. For internal-only usage with no user influence, priority is lower, but upgrading to a fixed PHP release is still recommended because the impact is service crash/availability loss.
Recommended defensive actions
- Upgrade PHP to a fixed release: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
- Review code paths that call mb_regex_encoding() and remove any user-controlled or externally supplied encoding values.
- Where encoding choice is required, enforce a strict allowlist of expected encodings before calling mb_regex_encoding().
- Monitor application and PHP-FPM logs for unexpected segmentation faults or repeated crashes that could indicate exposure.
- If you cannot upgrade immediately, reduce exposure by ensuring the affected functionality is not reachable from untrusted input.
Evidence notes
This debrief is based on the CVE description supplied in the source corpus and the official NVD record. The NVD reference points to the PHP security advisory GHSA-wm6j-2649-pv75. The supplied record assigns CVSS 2.1 (LOW) and CWE-476 (NULL pointer dereference). No KEV entry was provided in the corpus for this CVE.
Official resources
-
CVE-2026-7259 CVE record
CVE.org
-
CVE-2026-7259 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published in the supplied CVE record on 2026-05-10. The official NVD entry references the PHP security advisory GHSA-wm6j-2649-pv75. No KEV date was provided in the source corpus.