Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 PHP 8.5.7 FILTER_SANITIZE_ENCODED Uninitialized Read

🗓️ 22 Jun 2026 00:00:00Reported by Khashayar FereidaniType 
packetstorm
 packetstorm🔗 packetstorm.news👁 29 Views

PHP 8.5.7 FILTER_SANITIZE_ENCODED reads tmp[255] uninitialized, causing uncertain URL encoding.

Code
# PHP 8.5.7 `FILTER_SANITIZE_ENCODED` uninitialized read
    
    **Author:** Khashayar Fereidani
    **Disclosure Date:** 2026-06-18
    **Advisory:** https://fereidani.com/php-857-filtersanitizeencoded-uninitialized-read
    **Contact:** https://fereidani.com/contact
    
    ## Description
    
    In `ext/filter/sanitizing_filters.c`, the `php_filter_encode_url`
    function leaves the `255`th byte (`0xFF`) of a transient array
    uninitialized. An array of 256 bytes is populated using `memset(tmp,
    1, sizeof(tmp) - 1)`, resulting in `tmp[255]` remaining uninitialized.
    When `FILTER_SANITIZE_ENCODED` is applied, this array acts as a lookup
    table to determine whether an input byte should be percent-encoded.
    Consequently, whether the byte `0xFF` is encoded or left as-is depends
    on whatever value happened to be on the stack.
    
    ## Proof of concept
    
    ```php
    <?php
    /*
     * FILTER_SANITIZE_ENCODED uninitialized read
    (ext/filter/sanitizing_filters.c:73).
     *
     * php_filter_encode_url() does:
     *     unsigned char tmp[256];
     *     memset(tmp, 1, sizeof(tmp) - 1);   // sets tmp[0..254] = 1,
    leaves tmp[255] UNINIT
     *     ...
     *     if (tmp[*s]) { percent-encode } else { keep }
     *
     * So byte 0xFF (index 255) is read UNINITIALIZED: whether it is percent-encoded
     * depends on whatever was on the stack. Every other byte is encoded
     * deterministically. Effect: inconsistent URL-encoding of 0xFF (low severity;
     * no crash / no memory corruption, just UB + nondeterministic sanitizing).
     *
     * Run:  php poc.php
     *   expect: 0xFF kept RAW (ff...) while 0xFE is correctly percent-encoded (%FE)
     */
    $out = filter_var("\xff\xfeabc", FILTER_SANITIZE_ENCODED);
    echo "in : ", bin2hex("\xff\xfeabc"), "\n";
    echo "out: ", bin2hex($out), "\n";
    echo "0xFF was kept raw and 0xFE was percent-encoded => tmp[255] read
    uninitialized.\n";
    ```
    
    Running the script results in:
    
    ```bash
    in : fffe616263
    out: ff254645616263
    0xFF was kept raw and 0xFE was percent-encoded => tmp[255] read uninitialized.
    ```
    
    ## Impact
    
    The impact is low. No crashes or memory corruption can occur as a
    result of this bug. The sole impact is nondeterministic sanitizing of
    the `0xFF` byte, which leads to inconsistent URL-encoding based on
    uninitialized stack data unless it smartly gets used among other
    vulnerabilities in a chain.
    
    ## Solution
    
    Replace `sizeof(tmp) - 1` with `sizeof(tmp)` in the `memset` call in
    `ext/filter/sanitizing_filters.c` to fully initialize the lookup
    table.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jun 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
php eight five sevenfilter sanitize encodeduninitialized readlookup table buguncertain encoding
29