Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Audits Government Code Repositories With Anthropic’s Mythos AI Tool
July 7, 2026
Microsoft Windows Secures AI Agent Workflows with Execution Containers
July 7, 2026
Critical PHP PDO Driver Bugs Expose Firebird SQL Injection, PostgreSQL DoS
July 7, 2026
Home/Threats/Critical PHP PDO Driver Bugs Expose Firebird SQL Injection, PostgreSQL DoS
Threats

Critical PHP PDO Driver Bugs Expose Firebird SQL Injection, PostgreSQL DoS

Key Takeaways Two critical vulnerabilities have been discovered in PHP’s PDO drivers for Firebird and PostgreSQL databases. CVE-2026-25289 allows SQL injection in the pdo_firebird driver due to...

Jennifer sherman
Jennifer sherman
July 7, 2026 4 Min Read
2 0

Key Takeaways

  • Two critical vulnerabilities have been discovered in PHP’s PDO drivers for Firebird and PostgreSQL databases.
  • CVE-2026-25289 allows SQL injection in the pdo_firebird driver due to NUL byte mishandling.
  • CVE-2026-25290 causes a denial of service (DoS) in the pdo_pgsql driver via a null pointer dereference.
  • These flaws were found by PT Swarm researchers and impact widely used PHP applications.
  • Patches have been released, and immediate updates are strongly recommended for all affected PHP versions.

Recent revelations have brought to light a pair of significant vulnerabilities within PHP’s fundamental database abstraction layer, PHP Data Objects (PDO). These flaws, residing in the drivers for Firebird and PostgreSQL, demonstrate that even extensively used and mature software components can harbor deeply embedded security risks, potentially exposing web applications to severe attacks.

Table Of Content

  • Key Takeaways
  • SQL Injection in Firebird Driver (CVE-2026-25289)
  • Denial of Service in PostgreSQL Driver (CVE-2026-25290)
  • What You Should Do

The vulnerabilities stem from low-level intricacies in how these PDO drivers interact with their respective databases. Specifically, they enable attackers to bypass intended security measures by injecting malicious data, either by exploiting NUL bytes in quoted strings or by triggering application crashes through malformed input.

SQL Injection in Firebird Driver (CVE-2026-25289)

The first vulnerability, identified as CVE-2026-25289, carries a High severity rating. It impacts the pdo_firebird driver and facilitates SQL injection by exploiting how NUL bytes are handled within otherwise properly quoted strings. While developers typically assume that using PDO::quote before PDO::prepare guarantees safety, this research reveals a critical flaw in the driver’s subsequent processing.

The core issue lies in the driver’s use of the C standard library function strncat. This function is designed to concatenate strings but crucially stops copying data upon encountering a NUL byte, disregarding the specified length. If a quoted string containing a NUL byte is passed to the driver, the NUL byte prematurely terminates the string reconstruction process. This causes the closing quote to be dropped, effectively allowing attacker-controlled data to merge with executable SQL commands.

Researchers Aleksey Solovev and Nikita Sveshnikov from PT Swarm, who uncovered these issues during a comprehensive audit of PDO, demonstrated this with a proof-of-concept. Their example showed a UNION-based injection successfully revealing internal database version details that should have remained inaccessible. PT Swarm said in a report shared with industry publications that these flaws underscore how much PHP’s database security relies on the internal workings of its drivers, not just application-level code.

PHP maintainers have addressed this vulnerability by refactoring the Firebird driver’s token-by-token reconstruction logic. The fix replaces the unsafe NUL-terminated approach with a binary-safe method, ensuring string integrity. Systems running unpatched versions remain exposed to these SQL injection risks until updated.

Denial of Service in PostgreSQL Driver (CVE-2026-25290)

The second vulnerability, CVE-2026-25290, is rated Moderate with a CVSS score of approximately 7.3. This flaw affects the pdo_pgsql driver, specifically when emulated prepared statements are explicitly enabled. The vulnerability manifests when a parameter contains an invalid multibyte character sequence for the active connection encoding. In such cases, the underlying libpq library fails silently, returning a NULL escaped string.

Subsequently, PDO’s parser attempts to interpret the length of this NULL value. This action triggers a null pointer dereference, resulting in an immediate segmentation fault and crashing the application process. This constitutes a denial of service (DoS) for the PHP application.

PT Swarm modeled a real-world scenario to illustrate the severity of this DoS. In an e-commerce checkout process, a payment was successfully debited, but a malformed byte sequence in a “notes” field caused the application to crash before the order record could be inserted. This scenario results in a customer being charged without an order ever being created, leading to data inconsistency and significant trust issues.

The solution, released in the same coordinated security update, involves implementing a check within the driver to ensure that an escaped value is not NULL before attempting to dereference it. This transforms a fatal crash into a catchable application error, allowing developers to handle such exceptions gracefully. The full report details these findings and their implications.

What You Should Do

  • Update PHP Immediately: Ensure all PHP installations are updated to the latest patched versions across all supported branches to mitigate both CVE-2026-25289 and CVE-2026-25290.
  • Review Driver Configurations: If using pdo_pgsql, re-evaluate the necessity of explicitly enabling emulated prepared statements. Where possible, use native prepared statements to reduce exposure.
  • Input Validation: Implement robust input validation at the application layer for all user-supplied data, especially when dealing with binary or multibyte character sequences.
  • Atomic Transactions: For critical workflows, particularly those involving financial transactions or sensitive data modifications, ensure they are encapsulated within atomic transactions rather than relying on default autocommit behavior. This helps maintain data consistency even if an application process crashes.
  • Monitor Logs: Regularly monitor application and database logs for any unusual activity, crashes, or errors that might indicate an attempted exploitation or unexpected behavior.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Windows 11 24H2 Backup Policy Changes Confirmed by Microsoft

Next Post

Microsoft Windows Secures AI Agent Workflows with Execution Containers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical OpenAI Codex macOS App Bug Lets Attackers Inject Indirect Prompts
July 7, 2026
Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT
July 7, 2026
Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us