CVE-2026-7262

NameCVE-2026-7262
DescriptionIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4586-1, DSA-6255-1, DSA-6256-1
Debian Bugs1136054

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.4 (PTS)bullseye7.4.33-1+deb11u5vulnerable
bullseye (security)7.4.33-1+deb11u11fixed
php8.2 (PTS)bookworm, bookworm (security)8.2.31-1~deb12u1fixed
php8.4 (PTS)trixie8.4.16-1~deb13u1vulnerable
trixie (security)8.4.21-1~deb13u1fixed
forky, sid8.4.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.4sourcebullseye7.4.33-1+deb11u11DLA-4586-1
php7.4source(unstable)(unfixed)
php8.2sourcebookworm8.2.31-1~deb12u1DSA-6255-1
php8.2source(unstable)(unfixed)
php8.4sourcetrixie8.4.21-1~deb13u1DSA-6256-1
php8.4source(unstable)8.4.21-11136054

Notes

https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv
https://github.com/php/php-src/commit/79551ab8b1a97760c739e372f9bc359619f3554d
Search for package or bug name: Reporting problems