The vulnerability arises in PHP's mbstring extension when encoding names with embedded NUL bytes are passed to certain functions. The code uses strncasecmp() to compare strings but incorrectly interprets a zero return value as indicating equal length, which is not guaranteed. This logic flaw leads to out-of-bounds reads of global memory, potentially causing application crashes or leaking information. The affected PHP versions are 8.4.* before 8.4.21 and 8.5.* before 8.5.6. Functions impacted include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), mb_detect_order(), and the mbstring.detect_order and mbstring.http_output INI settings. The CVSS 4.0 score is 6.3, indicating medium severity. No patch or official remediation guidance is provided in the input.

Successful exploitation can result in out-of-bounds reads of global memory, which may cause application crashes or information disclosure. The vulnerability affects multiple mbstring functions and related INI settings in PHP, potentially impacting applications relying on these functions for encoding operations. There are no known exploits in the wild as per the provided data.

Patch status is not yet confirmed — check the PHP Group vendor advisory for current remediation guidance. Since no official patch or remediation level is indicated, users should monitor for updates from the PHP Group and apply official fixes once available. Until then, consider avoiding passing encoding names with embedded NUL bytes to mbstring functions as a temporary precaution if feasible.