CVE-2026-6104— Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6104
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
Source: NVD (National Vulnerability Database)
Vulnerability Description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存读
Source: NVD (National Vulnerability Database)
Vulnerability Title
PHP 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PHP是PHP开源的一种在服务器端执行的脚本语言。 PHP 8.4.21之前版本和8.5.6之前版本存在缓冲区错误漏洞,该漏洞源于当包含嵌入NUL字节的编码名称传递给mb_convert_encoding()或相关mbstring函数时,代码错误地假设strncasecmp()返回0意味着字符串长度相同,可能导致全局内存越界读取,从而引发崩溃或信息泄露。以下版本受到影响:8.4.21之前版本和8.5.6之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-6104
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6104
请登录查看更多情报信息。
Same Patch Batch · PHP Group · 2026-05-10 · 10 CVEs total
| CVE-2026-7258 | Out-of-bounds read in urldecode() on NetBSD | |
| CVE-2026-7262 | NULL pointer dereference in SOAP apache:Map decoder with missing <value> | |
| CVE-2026-7261 | SoapServer session-persisted object use-after-free via SOAP header fault | |
| CVE-2026-7259 | Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() | |
| CVE-2026-7568 | Signed integer overflow in metaphone() | |
| CVE-2026-6722 | Use-After-Free in SOAP using Apache map | |
| CVE-2026-6735 | XSS within PHP-FPM status endpoint | |
| CVE-2025-14179 | SQL injection in pdo_firebird via NUL bytes in quoted strings | |
| CVE-2026-7263 | DoS attack via DOMNode::C14N() |
IV. Related Vulnerabilities
Same product: PHP
Same vendor: PHP Group
Same weakness: CWE-125
- CVE-2026-8177
XML::LibXML versions through 2.0210 for Perl read out-of-bou - CVE-2026-7258
Out-of-bounds read in urldecode() on NetBSD - CVE-2026-8186
Open5GS NF client.c ogs_sbi_client_send_via_scp_or_sepp out- - CVE-2026-3508
ASUS System Control Interface 缓冲区错误漏洞 - CVE-2026-8088
OSGeo gdal GDapi.c GDfieldinfo out-of-bounds
V. Comments for CVE-2026-6104
No comments yet