Critical PHP PDO Driver Bugs Expose Firebird SQL Injection and PostgreSQL DoS Risks
Two critical vulnerabilities in PHP's PDO drivers, CVE-2026-25289 and CVE-2026-25290, allow SQL injection and denial of service, respectively. Both have been patched.

Two critical vulnerabilities have been discovered in PHP's widely-used PDO (PHP Data Objects) drivers, potentially exposing applications to SQL injection and denial-of-service attacks. The first flaw, CVE-2026-25289, resides in the pdo_firebird driver and can be exploited via SQL injection by leveraging NUL bytes within quoted strings. The second, CVE-2026-25290, affects the pdo_pgsql driver and can lead to a denial of service by crashing the application process when handling malformed multibyte character sequences. Researchers Aleksey Solovev and Nikita Sveshnikov from PT Swarm identified these issues during a security audit of PHP's PDO layer and its associated drivers.
The pdo_firebird vulnerability, rated High severity, stems from improper handling of C strings within the driver. While developers often assume that quoting strings using PDO::quote before preparing statements is inherently secure, this research highlights a flaw in the driver's reconstruction logic. The driver uses the C function strncat, which prematurely terminates string concatenation upon encountering a NUL byte, even if the specified length indicates more data should be processed. This behavior allows an attacker to inject malicious SQL code by embedding a NUL byte within a quoted string, effectively breaking the intended boundaries and enabling attacks like UNION-based injections to reveal sensitive database information.
PHP maintainers have addressed CVE-2026-25289 by rewriting the Firebird driver's reconstruction logic to use a binary-safe method, moving away from the vulnerable NUL-terminated string approach. This fix ensures that quoted strings are processed accurately, preventing the unintended execution of injected SQL commands. Users running unpatched versions of PHP remain vulnerable to this SQL injection risk until they apply the security update.
The second vulnerability, CVE-2026-25290, rated Moderate with a CVSS score of approximately 7.3, impacts the pdo_pgsql driver when emulated prepared statements are enabled. In this configuration, if a parameter contains an invalid multibyte character sequence for the active connection encoding, the underlying libpq library may fail silently and return a NULL value. Subsequently, PHP's PDO parser attempts to read the length of this NULL value, triggering a null pointer dereference and causing a segmentation fault, which crashes the application process.
This denial-of-service condition can have significant consequences, particularly in transactional workflows. For instance, an e-commerce application might process a payment, debit a customer's account, and then crash while attempting to record the order due to malformed input in a field like order notes. This scenario leads to a charged customer with no corresponding order, resulting in financial discrepancies and a severe erosion of trust. The fix implemented by PHP developers ensures that the driver checks for a NULL escaped value before attempting to dereference it, transforming a fatal crash into a catchable application error.
Both vulnerabilities were patched by PHP maintainers in a coordinated security release. The researchers from PT Swarm emphasize that the security of web applications is not solely dependent on the application code itself but also relies heavily on the underlying runtime environments and native libraries. They recommend that developers update their PHP installations promptly to mitigate these risks. Furthermore, they advise treating binary input as untrustworthy, avoiding unnecessary use of emulated prepare modes, and implementing atomic transactions for critical operations like financial workflows to prevent data inconsistencies in the event of application failures.
These findings underscore the importance of continuous security auditing and the need for developers to be aware of potential weaknesses in the foundational components of their applications. The widespread use of PHP and its PDO drivers means that these vulnerabilities could affect a large number of web applications globally, making timely patching a critical security imperative.