{“lastseen”:”2026-06-22T18:40:56″,”description”:”PHP version 8.5.7 suffers from an uninitialized read issue that does not appear immediately useful for any sort of exploitation…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 FILTER_SANITIZE_ENCODED Uninitialized Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:223960″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# PHP 8.5.7 `FILTER_SANITIZE_ENCODED` uninitialized read\\n \\n **Author:** Khashayar Fereidani\\n **Disclosure Date:** 2026-06-18\\n **Advisory:** https:\/\/fereidani.com\/php-857-filtersanitizeencoded-uninitialized-read\\n **Contact:** https:\/\/fereidani.com\/contact\\n \\n ## Description\\n \\n In `ext\/filter\/sanitizing_filters.c`, the `php_filter_encode_url`\\n function leaves the `255`th byte (`0xFF`) of a transient array\\n uninitialized. An array of 256 bytes is populated using `memset(tmp,\\n 1, sizeof(tmp) – 1)`, resulting in `tmp[255]` remaining uninitialized.\\n When `FILTER_SANITIZE_ENCODED` is applied, this array acts as a lookup\\n table to determine whether an input byte should be percent-encoded.\\n Consequently, whether the byte `0xFF` is encoded or left as-is depends\\n on whatever value happened to be on the stack.\\n \\n ## Proof of concept\\n \\n “`php\\n \\u003c?php\\n \/*\\n * FILTER_SANITIZE_ENCODED uninitialized read\\n (ext\/filter\/sanitizing_filters.c:73).\\n *\\n * php_filter_encode_url() does:\\n * unsigned char tmp[256];\\n * memset(tmp, 1, sizeof(tmp) – 1); \/\/ sets tmp[0..254] = 1,\\n leaves tmp[255] UNINIT\\n * …\\n * if (tmp[*s]) { percent-encode } else { keep }\\n *\\n * So byte 0xFF (index 255) is read UNINITIALIZED: whether it is percent-encoded\\n * depends on whatever was on the stack. Every other byte is encoded\\n * deterministically. Effect: inconsistent URL-encoding of 0xFF (low severity;\\n * no crash \/ no memory corruption, just UB + nondeterministic sanitizing).\\n *\\n * Run: php poc.php\\n * expect: 0xFF kept RAW (ff…) while 0xFE is correctly percent-encoded (%FE)\\n *\/\\n $out = filter_var(\\”\\\\xff\\\\xfeabc\\”, FILTER_SANITIZE_ENCODED);\\n echo \\”in : \\”, bin2hex(\\”\\\\xff\\\\xfeabc\\”), \\”\\\\n\\”;\\n echo \\”out: \\”, bin2hex($out), \\”\\\\n\\”;\\n echo \\”0xFF was kept raw and 0xFE was percent-encoded =\\u003e tmp[255] read\\n uninitialized.\\\\n\\”;\\n “`\\n \\n Running the script results in:\\n \\n “`bash\\n in : fffe616263\\n out: ff254645616263\\n 0xFF was kept raw and 0xFE was percent-encoded =\\u003e tmp[255] read uninitialized.\\n “`\\n \\n ## Impact\\n \\n The impact is low. No crashes or memory corruption can occur as a\\n result of this bug. The sole impact is nondeterministic sanitizing of\\n the `0xFF` byte, which leads to inconsistent URL-encoding based on\\n uninitialized stack data unless it smartly gets used among other\\n vulnerabilities in a chain.\\n \\n ## Solution\\n \\n Replace `sizeof(tmp) – 1` with `sizeof(tmp)` in the `memset` call in\\n `ext\/filter\/sanitizing_filters.c` to fully initialize the lookup\\n table.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223960″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223960\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-22T18:40:56″,”description”:”PHP version 8.5.7 suffers from an uninitialized read issue that does not appear immediately useful for any sort of exploitation…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 FILTER_SANITIZE_ENCODED Uninitialized Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:223960″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-64861","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n