CVE-2024-3096

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Published: Apr 29, 2024
Updated: Jun 19, 2025
CVE: CVE-2024-3096
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
php / php	8.3.0	8.3.5
php / php	8.1.0	8.1.28
php / php	8.2.0	8.2.18
debian / debian_linux	10.0	10.0.x

http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
https://security.netapp.com/advisory/ntap-20240510-0010/

Vulnerability Database

289,599

CVE-2024-3096