CVE-2026-7262

EUVD-2026-28971

10.05.2026, 05:16

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
php	CNA	2.9 LOW	NETWORK	LOW	NONE	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
php	php	8.2.* ≤ 𝑥 < 8.2.31	CNA
php	php	8.3.* ≤ 𝑥 < 8.3.31	CNA
php	php	8.4.* ≤ 𝑥 < 8.4.21	CNA
php	php	8.5.* ≤ 𝑥 < 8.5.6	CNA

Debian Releases

Debian Product

Codename

php7.4

bullseye	vulnerable
bullseye (security)	vulnerable

php8.2

bookworm	vulnerable
bookworm (security)	8.2.31-1~deb12u1 fixed

php8.4

forky	vulnerable
sid	8.4.21-1 fixed
trixie	vulnerable
trixie (security)	8.4.21-1~deb13u1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Vulnerability Media Exposure

[GERMAN] PHP: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um beliebigen Programmcode auszuführen, SQL-Injection- oder Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-07T22:00:00+00:00

References

https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv