Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-10T04:28:14 PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-839

A flaw was found in PHP. Some functions, including `urldecode()`, incorrectly pass signed characters to character type (ctype) functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service (DoS), making the affected PHP application or system unavailable.

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Enterprise Linux 8 2026-06-01T00:00:00Z RHSA-2026:22305 php:8.2-8100020260521052503.f7998665 Red Hat Enterprise Linux 9 2026-06-01T00:00:00Z RHSA-2026:22142 php:8.3-9080020260521113736.9 Red Hat Enterprise Linux 9 2026-06-01T00:00:00Z RHSA-2026:22143 php:8.2-9080020260521080715.9 Red Hat Hardened Images 2026-05-06T00:00:00Z RHSA-2026:14125 php-main-8.5.6-1.hum1 Red Hat Enterprise Linux 10 Fix deferred php Red Hat Enterprise Linux 10 Fix deferred php8.4 Red Hat Enterprise Linux 6 Fix deferred php Red Hat Enterprise Linux 7 Fix deferred php Red Hat Enterprise Linux 8 Fix deferred php:7.4/php Red Hat Enterprise Linux 9 Fix deferred php Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 Red Hat OpenShift Dev Spaces Fix deferred devspaces/code-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-7258 https://nvd.nist.gov/vuln/detail/CVE-2026-7258 https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4