HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48979Published Modified CNA GitHub_M

CVE-2026-48979: PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling

PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an HTTP/2 request smuggling vulnerability in the PHP Standard Library (PSL), specifically in the Psl\H2\ServerConnection component affecting versions 6.1.0, 6.1.1, and 6.2.0. The flaw is reachable over the network with no authentication required, and exploits a missing validation step where the library fails to confirm that the bytes received in HTTP/2 DATA frames match the content-length value declared in the HEADERS frame. A successful attacker can smuggle extra bytes past application-level size limits or cause applications that trust the declared length to behave incorrectly, enabling data tampering at the application layer. No fix versions have been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-48979 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle PSL directly. Any image containing php-standard-library or php-standard-library/h2 at an affected version range is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied so teams with stricter integrity-focused policies see this issue elevated appropriately. Findings are routed to the right team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available at versions 6.1.2 or 6.2.1 the moment upstream ships. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically without manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable ServerConnection accepts client traffic over the network, so an attacker must be able to reach the exposed HTTP/2 service from the internet or an internal network segment.

  • AuthenticationNot required

    No credentials or account are needed; any client that can open an HTTP/2 connection to the service can attempt the smuggling attack.

  • Victim interactionNot required

    The attack is fully client-driven and requires no action from a legitimate user or operator on the server side.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond reaching the service.

Blast Radius

  • An attacker sends more DATA bytes than declared in the HEADERS frame, smuggling content past application-level size checks and request filters.
  • An attacker sends fewer DATA bytes than declared and closes the stream early, causing application logic that trusts the declared content-length to process incomplete or misaligned request bodies.
  • Both variants allow manipulation of server-side request handling, with integrity impact rated HIGH, meaning persisted state, routing decisions, or downstream service behavior can be corrupted or manipulated based on the smuggled content.

How HarborGuard Handles This

Available on HarborGuard: immediate detection of any image containing php-standard-library or php-standard-library/h2 at versions 6.1.0, 6.1.1, or 6.2.0, flagged as HIGH severity based on the CVSS 7.5 score. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle. The moment versions 6.1.2 or 6.2.1 are published, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, HarborGuard will trigger a rebuild, run regression tests, and open a PR against affected workloads without requiring manual steps. In the interim, compensating controls available through HarborGuard policy include network-policy isolation to restrict which clients can reach services using Psl\H2\ServerConnection directly, and flagging any newly built images that introduce the affected package versions into a pipeline stage requiring manual approval before promotion to production.

See how HarborGuard automates this
Affected packages
  • php-standard-library / php-standard-library
    >= 6.1.0, < 6.1.2 · >= 6.2.0, < 6.2.1
  • php-standard-library / php-standard-library/h2
    >= 6.1.0, < 6.1.2 · >= 6.2.0, < 6.2.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References