BIT-LIBPHP-2024-3096 PHP function password_verify can erroneously return true when argument contains NUL

In PHP version 8.1. before 8.1.28, 8.2. before 8.2.18, 8.3. before 8.3.5, if a password stored with passwordhash starts with a null byte \x00, testing a blank string as the password via passwordverify will incorrectly return true...

php: Password_verify() always return true with some hash

A vulnerability was found in PHP. This security flaw occurs when malformatted BCrypt hashes that include a $ within their salt part trigger a buffer overread and may erroneously validate any password as valid...

password_verify() always returns true for some invalid hashes

...