VIR Vulnerability Intelligence Relay

CVE-2026-46644

unknown
Published 2026-05-26 · Modified —
CVSS v3
CVSS v2
VIR risk

Description

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-46644

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-46644 NameCVE-2026-46644 Descriptioninsecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source…

CVE-2026-46644

NameCVE-2026-46644
Descriptioninsecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-symfony-polyfill (PTS)bullseye1.22.1-1vulnerable
bookworm1.27.0-2vulnerable
forky1.37.0-1vulnerable
sid1.38.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-symfony-polyfillsource(unstable)1.38.1-1

Notes

[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)
https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels
https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labelshttps://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyaffected
debian debiansidfixed1.38.1-1

Package impact
EcosystemPackageVulnerableFixed
php Packagistsymfony/polyfill-intl-idn>=1.17.1,<1.38.1
php Packagistsymfony/polyfill>=1.17.1,<1.38.1

References

Verify integrity in audit chain (admin only). AS-IS.