PHP Ctype Functions Signed Char Handling Vulnerability Leading to Denial-of-Service

A vulnerability exists in PHP versions 8.2.* prior to 8.2.31, 8.3.* prior to 8.3.31, 8.4.* prior to 8.4.21, and 8.5.* prior to 8.5.6. Certain functions, including urldecode(), improperly pass signed characters to ctype functions like isxdigit(). On systems with default signed characters and optimized table-lookup ctype functions, such as NetBSD, this can result in accessing an array with a negative offset, potentially causing a segmentation fault and leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, resulting in a segmentation fault and a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling the urldecode() function with a string that includes a percent sign followed by a byte value that, when interpreted as a signed char, is negative. This will trigger the improper handling of the character by the isxdigit() function, leading to an out-of-bounds read.

Remediation

Users can upgrade to PHP versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 to address this vulnerability.