{"id":64858,"date":"2026-06-22T14:36:18","date_gmt":"2026-06-22T14:36:18","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=64858"},"modified":"2026-06-22T14:36:18","modified_gmt":"2026-06-22T14:36:18","slug":"php-857-levenshtein-signed-integer-overflow","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=64858","title":{"rendered":"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963"},"content":{"rendered":"

{“lastseen”:”2026-06-22T18:40:22″,”description”:”The levenshtein function calculates the Levenshtein distance between two strings, optionally accepting custom costs for insertion, replacement, and deletion operations. In PHP version 8.5.7, the implementation lacks proper bounds checking for these…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:223963″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# PHP 8.5.7 `levenshtein()` signed-integer overflow\\n \\n **Author:** Khashayar Fereidani\\n **Disclosure Date:** 2026-06-18\\n **Advisory:** https:\/\/fereidani.com\/php-857-levenshtein-signed-integer-overflow\\n **Contact:** https:\/\/fereidani.com\/contact\\n \\n ## Description\\n \\n The `levenshtein()` function calculates the Levenshtein distance\\n between two strings, optionally accepting custom costs for insertion,\\n replacement, and deletion operations. In PHP 8.5.7, the implementation\\n lacks proper bounds checking for these cost parameters. When\\n exceptionally large values (such as `PHP_INT_MAX`) are provided, the\\n arithmetic operations within the `reference_levdist()` function in\\n `ext\/standard\/levenshtein.c` result in a signed-integer overflow. This\\n triggers undefined behavior in C and causes the function to return a\\n negative distance, which is mathematically invalid.\\n \\n ## Proof of concept\\n \\n “`php\\n \\u003c?php\\n \/*\\n * levenshtein() signed-integer overflow\\n * File: ext\/standard\/levenshtein.c reference_levdist() lines 47, 50, 53-58\\n *\\n * The user-supplied costs (cost_ins \/ cost_rep \/ cost_del, all zend_long) are\\n * added with NO overflow check, e.g.:\\n * p1[i2] = i2 * cost_ins; \/\/ line 47\\n * p2[0] = p1[0] + cost_del; \/\/ line 50\\n * c1 = p1[i2 + 1] + cost_del;\/\/ line 54 \\u003c– PHP_INT_MAX +\\n PHP_INT_MAX\\n * c2 = p2[i2] + cost_ins; \/\/ line 58\\n *\\n * Result: signed overflow (undefined behaviour in C) producing a\\n * NEGATIVE edit distance, a value that is mathematically impossible.\\n *\/\\n var_dump(levenshtein(‘a’, ‘b’, PHP_INT_MAX, PHP_INT_MAX,\\n PHP_INT_MAX)); \/\/ int(-2) (should be PHP_INT_MAX)\\n var_dump(levenshtein(‘a’, ‘abc’, PHP_INT_MAX, PHP_INT_MAX,\\n PHP_INT_MAX)); \/\/ int(-4)\\n var_dump(levenshtein(‘a’, ‘b’, PHP_INT_MAX, 0,\\n PHP_INT_MAX)); \/\/ int(-2)\\n echo \\”All three distances are negative =\\u003e signed overflow (expected \\u003e= 0).\\\\n\\”;\\n “`\\n \\n ## Impact\\n \\n The primary risk associated with this vulnerability is an application\\n logic flaw. Applications that rely on the `levenshtein()` function to\\n determine string similarity or calculate distance metrics might fail\\n to handle negative returns properly (for instance, treating a negative\\n number as `\\u003c threshold`). This can result in unexpected behavior,\\n incorrect data processing, or bypasses in business logic. Since it\\n involves integer overflow producing a negative result rather than a\\n memory corruption issue, the scope is generally limited to logic\\n disruption rather than arbitrary code execution.\\n \\n ## Solution\\n \\n To effectively address this issue, bounds checking should be\\n implemented either on the cost parameters at the start of the\\n function, or during intermediate calculations. Utilizing safe\\n arithmetic macros provided by the Zend Engine can prevent the integer\\n overflow constraints from being violated:\\n \\n “`c\\n \/\/ Example: Adding overflow safeguards in ext\/standard\/levenshtein.c\\n if (UNEXPECTED(ZEND_SIGNED_ADD_OVERFLOWS(p1[i2 + 1], cost_del))) {\\n php_error_docref(NULL, E_WARNING, \\”Levenshtein distance\\n calculation caused an integer overflow\\”);\\n \/\/ Handle error, e.g., return -1 or cap\\n }\\n “`\\n An alternative and proactive measure is to restrict the inputs for\\n `cost_ins`, `cost_rep`, and `cost_del` before computing the distance,\\n ensuring that they wouldn’t exceed `ZEND_LONG_MAX` when scaled\\n relative to the strings’ lengths.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223963″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223963\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-22T18:40:22″,”description”:”The levenshtein function calculates the Levenshtein distance between two strings, optionally accepting custom costs for insertion, replacement, and deletion operations. In PHP version 8.5.7, the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-64858","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=64858\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-22T18:40:22″,”description”:”The levenshtein function calculates the Levenshtein distance between two strings, optionally accepting custom costs for insertion, replacement, and deletion operations. In PHP version 8.5.7, the...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=64858\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-22T14:36:18+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963\",\"datePublished\":\"2026-06-22T14:36:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858\"},\"wordCount\":675,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=64858#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858\",\"name\":\"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-22T14:36:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=64858\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64858#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=64858","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963 - zero redgem","og_description":"{“lastseen”:”2026-06-22T18:40:22″,”description”:”The levenshtein function calculates the Levenshtein distance between two strings, optionally accepting custom costs for insertion, replacement, and deletion operations. In PHP version 8.5.7, the...","og_url":"https:\/\/zero.redgem.net\/?p=64858","og_site_name":"zero redgem","article_published_time":"2026-06-22T14:36:18+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=64858#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=64858"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963","datePublished":"2026-06-22T14:36:18+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=64858"},"wordCount":675,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=64858#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=64858","url":"https:\/\/zero.redgem.net\/?p=64858","name":"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-22T14:36:18+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=64858#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=64858"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=64858#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 PHP 8.5.7 levenshtein() Signed-Integer Overflow_PACKETSTORM:223963"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/64858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64858"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/64858\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64858"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}