PatchSiren cyber security CVE debrief
CVE-2026-7568 Unknown Vendor CVE debrief
CVE-2026-7568 is a PHP availability issue in the metaphone() function. According to the published description, very large inputs can trigger signed integer overflow in the position-tracking logic, which can result in undefined behavior, an out-of-bounds read, and process instability such as a crash or access to unrelated memory. The issue is documented for PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Administrators and developers running PHP applications that call metaphone(), especially in services that accept user-supplied text or process untrusted input at scale. SRE and platform teams should care if PHP process availability is business-critical, since the issue can cause denial of service through a crash.
Technical summary
The vulnerability is caused by use of a signed int to track the current position within the input string in ext/standard/metaphone.c. If the input exceeds 2,147,483,647 bytes, the position counter overflows, creating undefined behavior. The described impact is an out-of-bounds read that may crash the PHP process or expose unrelated memory contents to the process context. NVD maps the issue to CWE-125 and CWE-190.
Defensive priority
Medium. The primary impact is availability, but the bug is in a widely deployed core PHP function and can be triggered by pathological input size. Prioritize if your applications can pass user-controlled text into metaphone() or if PHP process crashes materially affect uptime.
Recommended defensive actions
- Upgrade PHP to a fixed release: 8.2.31, 8.3.31, 8.4.21, or 8.5.6 or later, depending on your branch.
- Audit application code and frameworks for use of metaphone() and verify whether any call paths can receive untrusted or excessively large input.
- Add input-size limits and request validation before text reaches PHP string-processing routines, especially in public-facing services.
- Monitor PHP error logs and crash telemetry for unexplained segmentation faults or worker restarts around text-processing endpoints.
- If immediate upgrading is not possible, reduce exposure by restricting or removing code paths that invoke metaphone() on attacker-controlled data.
Evidence notes
The vulnerability description and affected-version ranges come from the supplied CVE record and NVD source item. NVD lists the reference to the PHP project security advisory at https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57. No additional claims are made beyond the provided corpus.
Official resources
-
CVE-2026-7568 CVE record
CVE.org
-
CVE-2026-7568 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published in the supplied CVE record on 2026-05-10T05:16:11.920Z; the NVD source item shows the same timestamp and references a PHP security advisory. This debrief uses the published CVE timestamp as the issue date context.