CVE-2026-7568
Published: May 10, 2026
Modified: May 11, 2026
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
| Vendor | Product | Versions |
|---|---|---|
PHP Group | PHP | affected 8.2.* - < 8.2.31affected 8.3.* - < 8.3.31affected 8.4.* - < 8.4.21affected 8.5.* - < 8.5.6 |
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now