CVE-2026-7258
published 2026-05-10CVE-2026-7258: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.34%
25.5th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php8.4 | — | — |
| devspaces | code-rhel9 | — | — |
| php | php | — | — |
| php | php | >= 8.2.0 < 8.2.21 | 8.2.21 |
| php | php | >= 8.3.0 < 8.3.31 | 8.3.31 |
| php | php | >= 8.4.0 < 8.4.21 | 8.4.21 |
| php | php | >= 8.5.0 < 8.5.6 | 8.5.6 |
| php_7.4 | php | — | — |
| php_8.2 | php | — | — |
| php_8.3 | php | — | — |
| php_group | php | >= 8.2.* < 8.2.31 | 8.2.31 |
| php_group | php | >= 8.3.* < 8.3.31 | 8.3.31 |
| php_group | php | >= 8.4.* < 8.4.21 | 8.4.21 |
| php_group | php | >= 8.5.* < 8.5.6 | 8.5.6 |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 urldecode out-of-bounds (GHSA-m8rr-4c36-8gq4 / WID-SEC-2026-1433)
vuldb·2026-05-10·CVSS 6.3
CVE-2026-7258 [MEDIUM] PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 urldecode out-of-bounds (GHSA-m8rr-4c36-8gq4 / WID-SEC-2026-1433)
A vulnerability described as problematic has been identified in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5. This vulnerability affects the function urldecode. Such manipulation leads to out-of-bounds read.
This vulnerability is documented as CVE-2026-7258. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
Red Hat
PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions
vendor_redhat·2026-05-10·CVSS 6.3
CVE-2026-7258 [MEDIUM] CWE-839 PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions
PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions
A flaw was found in PHP. Some functions, including `urldecode()`, incorrectly pass signed characters to character type (ctype) functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service (DoS), making the affected PHP application or system unavailable.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: php (Red Hat Enterprise Linux 10) - Fix deferred
Package: php8.4 (Red Hat Enterprise L
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-7258 PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions
bugzilla·2026-05-10·CVSS 6.3
CVE-2026-7258 [MEDIUM] CVE-2026-7258 PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions
CVE-2026-7258 PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
2026-05-10
Published