Signed integer overflow in metaphone()
Summary
| CVE | CVE-2026-7568 |
|---|---|
| State | PUBLISHED |
| Assigner | php |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-10 05:16:11 UTC |
| Updated | 2026-07-02 12:17:45 UTC |
| Description | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process. |
Risk And Classification
Primary CVSS: v4.0 6.3 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Amber
EPSS: 0.000420000 probability, percentile 0.128530000 (date 2026-05-12)
Problem Types: CWE-125 | CWE-190 | CWE-190 CWE-190 Integer Overflow or Wraparound | CWE-125 CWE-125 Out-of-bounds Read | CWE-190 Integer Overflow or Wraparound
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/... |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Amber
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | PHP Group | PHP | affected 8.2.* 8.2.31 semver | Not specified |
| CNA | PHP Group | PHP | affected 8.3.* 8.3.31 semver | Not specified |
| CNA | PHP Group | PHP | affected 8.4.* 8.4.21 semver | Not specified |
| CNA | PHP Group | PHP | affected 8.5.* 8.5.6 semver | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:23388 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33449 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22305 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22649 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57 | [email protected] | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:22142 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7568.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22143 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34354 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-7568 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Aleksey Solovev (Positive Technologies) (en)
CNA: Tim Düsterhus (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-10T05:01:02.287Z | Reported to Red Hat. |
| ADP | 2026-05-10T03:42:36.433Z | Made public. |
Solutions
ADP: RHSA-2026:23388: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:22649: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:34354: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:22305: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:22142: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:22143: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:33449: Red Hat Enterprise Linux AppStream (v. 9)
Workarounds
ADP: To mitigate this vulnerability, validate the length of any user-controlled input before passing it to the metaphone() function. Also, verify the PHP and web server configuration to ensure memory limits and maximum request sizes are restricted to below ~2 GiB.