CVE-2026-7568
published 2026-05-10CVE-2026-7568: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.44%
35.4th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php8.4 | — | — |
| php | php | — | — |
| php | php | >= 8.2.0 < 8.2.31 | 8.2.31 |
| php | php | >= 8.3.0 < 8.3.31 | 8.3.31 |
| php | php | >= 8.4.0 < 8.4.21 | 8.4.21 |
| php | php | >= 8.5.0 < 8.5.6 | 8.5.6 |
| php_7.4 | php | — | — |
| php_8.2 | php | — | — |
| php_8.3 | php | — | — |
| php_group | php | >= 8.2.* < 8.2.31 | 8.2.31 |
| php_group | php | >= 8.3.* < 8.3.31 | 8.3.31 |
| php_group | php | >= 8.4.* < 8.4.21 | 8.4.21 |
| php_group | php | >= 8.5.* < 8.5.6 | 8.5.6 |
| ubuntu | php8.1 | — | — |
| ubuntu | php8.3 | — | — |
| ubuntu | php8.4 | — | — |
| ubuntu | php8.5 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Amber
vendor_ubuntu7.4HIGH
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2026-05-28·CVSS 7.4
CVE-2026-7259 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PH
Red Hat
php: signed integer overflow in metaphone()
vendor_redhat·2026-05-10·CVSS 6.3
CVE-2026-7568 [MEDIUM] CWE-190 php: signed integer overflow in metaphone()
php: signed integer overflow in metaphone()
A flaw was found in PHP. The metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. When an input string is longer than 2,147,483,647 bytes, a signed integer overflow can occur, leading to undefined behavior and an out-of-bounds read. This issue can cause a denial of service and a limited memory disclosure.
Statement: This issue can be exploited by passing an excessively large string, exceeding 2,147,483,647 bytes, to the metaphone() function. This function is used for searching and matching words based on their phonetic sound. The large string can lead to a signed integer overflow that allows an attacker to cause an out-of-bounds read, resulting in a denial of service
VulDB
PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 ext/standard/metaphone.c metaphone integer overflow (GHSA-96wq-48vp-hh57 / WID-SEC-2026-1433)
vuldb·2026-05-10·CVSS 6.3
CVE-2026-7568 [MEDIUM] PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 ext/standard/metaphone.c metaphone integer overflow (GHSA-96wq-48vp-hh57 / WID-SEC-2026-1433)
A vulnerability categorized as problematic has been discovered in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5. Affected is the function metaphone of the file ext/standard/metaphone.c. Executing a manipulation can lead to integer overflow.
This vulnerability is tracked as CVE-2026-7568. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7568 php: signed integer overflow in metaphone()
bugzilla·2026-05-10·CVSS 6.3
CVE-2026-7568 [MEDIUM] CVE-2026-7568 php: signed integer overflow in metaphone()
CVE-2026-7568 php: signed integer overflow in metaphone()
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57https://access.redhat.com/errata/RHSA-2026:22142https://access.redhat.com/errata/RHSA-2026:22143https://access.redhat.com/errata/RHSA-2026:22305https://access.redhat.com/errata/RHSA-2026:22649https://access.redhat.com/errata/RHSA-2026:23388https://access.redhat.com/security/cve/CVE-2026-7568https://bugzilla.redhat.com/show_bug.cgi?id=2468566https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7568.json
2026-05-10
Published