php · LamentXU123 · Apr 8, 2026 · Apr 8, 2026 · Apr 9, 2026 · Apr 10, 2026
diff --git a/NEWS b/NEWS
@@ -138,6 +138,8 @@ PHP                                                                        NEWS
     while COW violation flag is still set). (alexandre-daubois)
   . Added form feed (\f) in the default trimmed characters of trim(), rtrim()
     and ltrim(). (Weilin Du)
+  . Fixed bug GH-21673 Reject NUL bytes in bcrypt passwords passed to 
+    password_verify(). (Weilin Du)
   . Invalid mode values now throw in array_filter() instead of being silently
     defaulted to 0. (Jorg Sowa)
   . Fixed bug GH-21058 (error_log() crashes with message_type 3 and

@@ -181,7 +181,7 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
 	zval *zcost;
 	zend_long cost = PHP_PASSWORD_BCRYPT_COST;
 
-	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+	if (zend_str_has_nul_byte(password)) {
 		zend_value_error("Bcrypt password must not contain null character");
 		return NULL;
 	}
@@ -620,6 +620,10 @@ PHP_FUNCTION(password_verify)
 	ZEND_PARSE_PARAMETERS_END();
 
 	algo = php_password_algo_identify(hash);
+	if (algo == &php_password_algo_bcrypt && zend_str_has_nul_byte(password)) {
+		RETURN_FALSE;
+	}
+
 	RETURN_BOOL(algo && (!algo->verify || algo->verify(password, hash)));
 }
 /* }}} */

@@ -0,0 +1,14 @@
+--TEST--
+password_verify() rejects bcrypt passwords containing null bytes
+--FILE--
+<?php
+$hash = password_hash("foo", PASSWORD_BCRYPT);
+
+var_dump(password_verify("foo", $hash));
+var_dump(password_verify("foo\0bar", $hash));
+var_dump(password_verify("\0foo", $hash));
+?>
+--EXPECT--
+bool(true)
+bool(false)
+bool(false)