If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string.
Created php tracking bugs for this issue: Affects: fedora-all [bug 2275062]