CVE•Published 2026-05-10•Modified 2026-05-12•1 article on news•6 live references•NVD data

CVE-2026-6104Php · Php

Vulnerability data via NVD (ingested)

CVSS v3.1

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-125Out-of-bounds Read

Description

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

Timeline

Published 2026-05-10

Modified 2026-05-12

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag58,478 hosts

vuln:CVE-2026-6104

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Php Php"

All exposed Php Php instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Php"

HTTP body or banner mentions "Php" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-6104