CVE-2024-4577

Published Jun 9, 2024

Last updated 6 months ago

Exploit knownCVSS critical 9.8
PHP
web application
IoT

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-4577 is a vulnerability that enables remote code execution in PHP installations on Windows servers. It specifically affects systems running PHP in CGI mode or those exposing the PHP binary. Exploitation involves leveraging the Windows "Best-Fit" encoding feature, typically by inserting a "soft hyphen" character within a URL. This allows attackers to bypass PHP sanitization measures and execute arbitrary code via the `php.exe` executable. While initially believed to have a broader impact, further research revealed that successful exploitation primarily hinges on the system's locale being configured for Chinese (simplified or traditional) or Japanese. Other similar locales might also be susceptible. The vulnerability affects PHP versions 8.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8. Proof-of-concept exploits were observed shortly after the vulnerability's disclosure, highlighting its potential for misuse.

Description
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Source
security@php.net
NVD status
Analyzed
Products
php, fedora

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
PHP-CGI OS Command Injection Vulnerability
Exploit added on
Jun 12, 2024
Exploit action due
Jul 3, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@php.net
CWE-78
nvd@nist.gov
CWE-78

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

6

  1. ¡Acabo de rootear Giveback en @hackthebox_eu! 🚩 🔸 CVE-2024-5932 (GiveWP) → RCE 🔸 CVE-2024-4577 (PHP-CGI) → pivote en K8s 🔸 CVE-2024-21626 (runc) → escape de contenedor → root https://t.co/mF7niWbmNt #HackTheBox #HTB #CVE #Kubernetes #Pentesting #

    @cyberknight_91

    12 May 2026

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. PHP-CGI RCE attempt observed (CVE-2024-4577) 2026-05-11 02:15:08 UTC Source IP: 130.78.217.194 🇬🇧 POST /cgi-bin/param.cgi?post_raw IOCs: 130.78.217.194 🇬🇧 hxxp://130.78.217.194:8888/bot.sh 06f55a73b369040bee42de084027d3dc https://t.co/UjDd4lcPGH

    @sicehice

    11 May 2026

    2926 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. the foundation is already compromised. cve-2024-4577, critical php rce via argument injection on windows, is now under active exploitation. ignored patches mean widespread web server compromise. your data is already out there.

    @thededbatman

    1 May 2026

    2 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. TRC analysis shows RedTail cryptomining campaign exploiting CVE-2024-4577 PHP vulnerability with 'libredtail-http' User-Agent. Attackers achieve remote code execution, deploy miners, and establish C2 connections for resource hijacking. #ZeroDay #ThreatIntel 🔗 Full TRC analysi

    @aviatrixtrc

    30 Apr 2026

    58 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New Libredtail campaign exploits CVE-2024-4577 to deploy redtail cryptomining malware via HTTP POST attacks targeting PHP misconfigurations. Honeypot data shows coordinated activity from German 🇩🇪, British 🇬🇧, and Indian 🇮🇳 IPs. #DFIR_Radar https://t.co/t0uLDWZ

    @DFIR_Radar

    30 Apr 2026

    107 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  6. CVE-2024-4577. CVSS 9.8 (CRITICAL) | PHP 8.1-8.3 (Windows CGI) | Best-Fit Character Conversion Bypass → Unauthenticated RCE

    @lyrie_ai

    29 Apr 2026

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. 00:00 UTC: CVE-2024-4577 disclosed. CVE-2024-4577: PHP-CGI RCE via Windows Best-Fit Character Conversion

    @lyrie_ai

    29 Apr 2026

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. CVE-2024-4577 In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages ... https://t.co/DDWph7iIcd https://t.co/feZjoNZcbR

    @CVEradars

    2 Apr 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. #letsdefend I have gained new badge on @LetsDefendIO Just completed a hands-on investigation of CVE-2024-4577 (PHP-CGI RCE) on LetsDefend. Artifact analysis, version fingerprinting, and exploitation chain — logged and done. #SOC #BlueTeam #Cybersecurity https://t.co/loAukVfuN

    @SALIMASSILI2006

    30 Mar 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Just finished analyzing a 6-day PCAP and caught the RedTail botnet in action! Defeated a fileless execution attempt exploiting CVE-2024-4577 and mapped out the attacker's infrastructure using OSINT. full report here: https://t.co/asIfqqjrQk #CyberSecurity #report #InfoSec htt

    @Danwaxiree

    20 Mar 2026

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Heads up, hunters! CVE-2024-4577: Critical RCE in PHP-FPM on Windows (CVSS 9.8). This 'best-fit' bypass means arbitrary code execution via argument injection. Check your PHP-CGI deployments ASAP. Patch or get popped! https://t.co/8aTCLSu3fU

    @computerauditor

    9 Mar 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. HackTheBox - GiveBack 🧩 Plugin vulnerable de WordPress - CVE-2024-5932 🔁 CGI-PHP vulnerable - CVE-2024-4577 🔑 Kubernetes secrets + acceso SSH 🚀 Abuso de runc para escalar privilegios https://t.co/F8QTI2T9UZ

    @sckull_

    21 Feb 2026

    85 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 Heads up Sysadmins: We just intercepted and neutralized an active "RedTail" crypto-jacking attack on client servers. Exploiting CVE-2024-4577 (PHP-CGI) to deploy miners hidden as fake [kcached] kernel processes. #InfoSec #Linux #AWS #MalwareAlert https://t.co/F6l3qRcXrF

    @SURAJSINGH19746

    14 Feb 2026

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. New case for 🇯🇵 shows, as one hole in PHP turns into a quiet occupation of the entire network: they beat the CVE-2024-4577, pour PowerShell through PHP, raise Cobalt Strike with TaoWu-plugins, disperse Potatoes to SYSTEM, are registered in registry and bags, clean logs, sca

    @Hack_Your_Mom

    12 Nov 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. サイバー犯罪者がPHPやそのフレームワークの脆弱性を悪用し、暗号通貨マイニングを加速させている。特に、ThinkPHPやPHPUnit、最近公開されたCVE-2024-4577がターゲットとなり、2025年8月から10月にかけて攻撃が急

    @yousukezan

    5 Nov 2025

    948 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  16. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    26 Oct 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    25 Oct 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  18. 📢 𝐇𝐨𝐭 𝐨𝐟𝐟 𝐭𝐡𝐞 𝐩𝐫𝐞𝐬𝐬: 𝐂𝐕𝐄 𝐢𝐧𝐬𝐢𝐠𝐡𝐭𝐬! Learn how CVE-2024-4577 lets attackers hijack PHP servers via CGI injection and how to defend using threat intelligence and proactive mitigation. 👉 Dive into the f

    @PurpleOps_io

    12 Oct 2025

    80 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Using real-world attack data from Akamai's research team, this session will showcase live exploitation demos, explore the impact of vulnerabilities like CVE-2024-4577 (PHP-CGI Argument Injection), & introduce cutting-edge Unicode fuzzing techniques. Tix: https://t.co/m4J2bIg

    @BSides_NoVA

    24 Sept 2025

    169 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 📢 𝐍𝐞𝐰 𝐂𝐕𝐄 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐣𝐮𝐬𝐭 𝐝𝐫𝐨𝐩𝐩𝐞𝐝! CVE-2024-4577 lets attackers remotely run code on your server-find out if you're vulnerable and how to stop exploitation before it's too late. 👉 Dive into the full a

    @PurpleOps_io

    21 Sept 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    15 Sept 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    13 Sept 2025

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  23. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    10 Sept 2025

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  24. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    9 Sept 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    8 Sept 2025

    84 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    6 Sept 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    5 Sept 2025

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. cve-2024-4577 完全に理解した

    @saudade_yuki

    30 Aug 2025

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ h

    @hire_a_hacker12

    11 Aug 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Likely botnet mass exploiting CVE-2024-4577 (PHP Vulnerability) 146.185.182.65 🇳🇱 AS 14061 ( DIGITALOCEAN-ASN ) https://t.co/b5uHvQkwdB

    @DefusedCyber

    24 Jul 2025

    193 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ h

    @cyberecstasy01

    12 Jul 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ h

    @cyberecstasy01

    12 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. CVE-2024-4577 Scanner & Exploit PoC released! PHP CGI Argument Injection → Remote Code Execution 🔗 GitHub: https://t.co/KUJb77k6oy #infosec #cybersecurity #CVE2024 #rce #bugbounty #poc

    @r0otk3r

    7 Jul 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Actively exploited CVE : CVE-2024-4577

    @transilienceai

    2 Jul 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  35. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ h

    @dack_tech__247

    21 Jun 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ h

    @THEHACKERPRK

    14 Jun 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 🚨 #breacheyesonly📢📢 #snaphack #buyingcontent #monkeyappgirls🔗🔒🔗 #crypto #snapchatleak #bitcoin💰 #easymoney🌐🌐 #purchasesnaphack🛎️🛎️ #Everyone #recovery🚨 Cybercriminals are exploiting CVE-2024-4577, a critical PHP flaw, to gain remote access

    @SeniorRabe39569

    12 Jun 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🚨 #breacheyesonly📢📢 #snaphack #buyingcontent #monkeyappgirls🔗🔒🔗 #crypto #snapchatleak #bitcoin💰 #easymoney🌐🌐 #purchasesnaphack🛎️🛎️ #Everyone #recovery🚨 Cybercriminals are exploiting CVE-2024-4577, a critical PHP flaw, to gain remote access

    @THEHACKERPRK

    9 Jun 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🚨 #breacheyesonly📢📢 #snaphack #buyingcontent #monkeyappgirls🔗🔒🔗 #crypto #snapchatleak #bitcoin💰 #easymoney🌐🌐 #purchasesnaphack🛎️🛎️ #Everyone #recovery🚨 Cybercriminals are exploiting CVE-2024-4577, a critical PHP flaw, to gain remote access

    @jack_27_7

    8 Jun 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 🚨 #breacheyesonly📢📢 #snaphack #buyingcontent #monkeyappgirls🔗🔒🔗 #crypto #snapchatleak #bitcoin💰 #easymoney🌐🌐 #purchasesnaphack🛎️🛎️ #Everyone #recovery🚨 Cybercriminals are exploiting CVE-2024-4577, a critical PHP flaw, to gain remote access

    @techammend

    8 Jun 2025

    159 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 💥 LockBit ransomware gang hacked Their dark web site was defaced, leaking a MySQL dump with 75 affiliate passwords, chats, BTC addresses, and configs. The breach (via CVE-2024-4577) adds to LockBit’s post-Cronos downfall. https://t.co/r5vn93jjUG #Lockbit #DataLeak #DarkWe

    @dCypherIO

    8 May 2025

    134 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/ojnlvtvYqO

    @recoverythreata

    23 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/MXIw3413mB

    @walletwardenn

    22 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/9nERalEnWb

    @HACK_PRO1

    22 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 🚨#breacheyesonly📢📢 #snaphack #buyingcontent #monkeyappgirls🔗🔐🔗 #crypto #snapchatleak   #bitcoin฿💰#easymoney🌐#purchasesnaphack🛎️🛎️#Everyone #recovery🚨Cybercriminals are exploiting CVE-2024-4577, a critical PHP flaw, to gain remote access to systems in Japan‼‼‼💼💼 http

    @dack_tech_247

    21 Apr 2025

    64 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/YYycT2w8bw

    @HACK_PRO1

    21 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/I6yWjIq4mp

    @Vectorhackz

    19 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 🚨#breacheyesonly📢📢 #snaphack #buyingcontent #monkeyappgirls🔗🔐🔗 #crypto #snapchatleak   #bitcoin฿💰#easymoney🌐#purchasesnaphack🛎️🛎️#Everyone #recovery🚨Cybercriminals are exploiting CVE-2024-4577, a critical PHP flaw, to gain remote access to systems in Japan‼‼‼💼💼 http

    @RuskovUnlock

    19 Apr 2025

    18 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/O6r87kkFWY

    @JOE_HACKER1

    16 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. #hack #snaphack📢📢📢📢  #buyingcontent    #monkeyapp      #telegramlink #buysnaphack Pay before service only.   $$💵💵💰💰 #snapchatleak Hackers are exploiting CVE-2024-4577 to deploy crypto miners ⛏️ & Quasar RAT on Windows servers‼‼ https://t.co/toCfLJt4h0

    @walletwardenn

    16 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.CVE-2026-7263
  2. In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.CVE-2026-6104
  3. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().CVE-2026-7259
  4. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.CVE-2026-6722
  5. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.CVE-2026-7568

References

Sources include official advisories and independent security research.