CVE-2026-46644
Description
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-46644 NameCVE-2026-46644 Descriptioninsecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source…
CVE-2026-46644
| Name | CVE-2026-46644 |
| Description | insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| php-symfony-polyfill (PTS) | bullseye | 1.22.1-1 | vulnerable |
| bookworm | 1.27.0-2 | vulnerable | |
| sid, forky | 1.38.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| php-symfony-polyfill | source | (unstable) | 1.38.1-1 |
Notes
[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)
[bullseye] - php-symfony-polyfill <postponed> (Minor issue; can be fixed with next upload)
https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels
https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq
Apply commands
[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)[bullseye] - php-symfony-polyfill <postponed> (Minor issue; can be fixed with next upload)https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labelshttps://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgqOS impact
Debian Mixed 4 releases
| Version | Status | Fixed in |
|---|---|---|
| sid | Fixed | 1.38.1-1 |
| forky | Fixed | 1.38.1-1 |
| bullseye | Affected | — |
| bookworm | Affected | — |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | symfony/polyfill | >=1.17.1,<1.38.1 | 1.38.1 |
| Packagist | symfony/polyfill-intl-idn | >=1.17.1,<1.38.1 | 1.38.1 |
References
- https://symfony.com/cve-2026-46644
- https://security-tracker.debian.org/tracker/CVE-2026-46644
- https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq
- https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill-intl-idn/CVE-2026-46644.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill/CVE-2026-46644.yaml
- https://github.com/symfony/polyfill
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.