{ "threat_severity" : "Important", "public_date" : "2026-05-10T03:42:36Z", "bugzilla" : { "description" : "php: signed integer overflow in metaphone()", "id" : "2468566", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468566" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.", "A flaw was found in PHP. The metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. When an input string is longer than 2,147,483,647 bytes, a signed integer overflow can occur, leading to undefined behavior and an out-of-bounds read. This issue can cause a denial of service." ], "statement" : "This issue can be exploited by passing an excessively large string, exceeding 2,147,483,647 bytes, to the metaphone() function. This function is used for searching and matching words based on their phonetic sound. The large string can lead to a signed integer overflow that allows an attacker to cause an out-of-bounds read, resulting in a denial of service. Due to these reasons, this vulnerability has been rated with an important severity.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-06-02T00:00:00Z", "advisory" : "RHSA-2026:22649", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "php8.4-0:8.4.21-1.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-06-04T00:00:00Z", "advisory" : "RHSA-2026:23388", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "php-0:8.3.31-1.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-06-01T00:00:00Z", "advisory" : "RHSA-2026:22305", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "php:8.2-8100020260521052503.f7998665" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-06-01T00:00:00Z", "advisory" : "RHSA-2026:22142", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "php:8.3-9080020260521113736.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-06-01T00:00:00Z", "advisory" : "RHSA-2026:22143", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "php:8.2-9080020260521080715.9" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "php:7.4/php", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/a:redhat:hummingbird:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-7568\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7568\nhttps://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57" ], "name" : "CVE-2026-7568", "mitigation" : { "value" : "To mitigate this vulnerability, validate the length of any user-controlled input before passing it to the metaphone() function. Also, verify the PHP and web server configuration to ensure memory limits and maximum request sizes are restricted to below ~2 GiB.", "lang" : "en:us" }, "csaw" : false }