PHP NULL Pointer Dereference Vulnerability in mbstring Extension Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in PHP versions 8.2.* prior to 8.2.31, 8.3.* prior to 8.3.31, 8.4.* prior to 8.4.21, and 8.5.* prior to 8.5.6. This vulnerability arises from a mismatch between encoding lists in the Oniguruma regex library and mbfl, PHP's internal encoding library. When user-controlled input influences the encoding passed to mb_regex_encoding(), it can lead to a segmentation fault, causing a denial-of-service condition. The issue occurs because Oniguruma supports certain encodings that mbfl does not, creating a scenario where the encoding is accepted by the regex library but results in a NULL value when processed by mbfl. This NULL value is then dereferenced, causing a segmentation fault and crashing the PHP process.

Impact

Exploitation of this vulnerability reliably crashes the PHP process, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling 'mb_regex_encoding()' with an unsupported encoding, such as 'iso-8859-11'. This encoding is accepted by Oniguruma but not by mbfl, leading to a NULL pointer dereference when 'mb_ereg_search_init()' is used, causing a segmentation fault.

Remediation

Users can upgrade to PHP versions 8.5.6, 8.4.21, 8.3.31, or 8.2.31 to address this vulnerability.