CVE-2026-7262 - Vulnerability Details

- NULL pointer dereference in SOAP apache:Map decoder with missing <value>

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

Published: 2026-05-10

Score: 2.9 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A NULL pointer dereference occurs in PHP’s SOAP apache:Map decoder when a typemap is configured and the <value> element is missing in the SOAP envelope. The decoder incorrectly references a wrong variable, resulting in a segmentation fault of the PHP SOAP server process. A remote attacker can exploit this flaw by sending a specially crafted SOAP request, causing the server to crash without any authentication. The primary consequence is a denial of service to clients of the affected SOAP service.

Affected Systems

PHP Group: PHP is affected. Versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 contain the vulnerability. All other PHP releases are not impacted.

Risk and Exploitability

The CVSS score of 2.9 indicates a low overall severity, and the EPSS score is not available yet. The vulnerability is not listed in the CISA KEV catalog. Inferred from the description, the attack vector is remote and requires no authentication, but the effect is limited to causing a service crash. While the exploitation risk is moderate due to the low CVSS, the impact of failure to patch is a potential DoS on a public-facing web service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PHP Group

PHP

affected

Version	Status	Constraints
`8.2.*`	affected	< 8.2.31
`8.3.*`	affected	< 8.3.31
`8.4.*`	affected	< 8.4.21
`8.5.*`	affected	< 8.5.6

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

No data.

Vendor Product Confidence Versions

Php Group

Php

100%

Version	Status	Scheme	Platform
`[8.2.0,8.2.31)`	affected	semver	—
`[8.3.0,8.3.31)`	affected	semver	—
`[8.4.0,8.4.21)`	affected	semver	—
`[8.5.0,8.5.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PHP to the latest patched version (at least 8.2.31, 8.3.31, 8.4.21, or 8.5.6 as appropriate).
If an immediate upgrade is not possible, disable or remove the SOAP typemap that is vulnerable, or configure it to validate the presence of the <value> element before processing.
Restart the PHP SOAP server to apply the changes and ensure the vulnerable code path is no longer active.

Generated by OpenCVE AI on May 10, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4586-1	php7.4 security update
Debian DSA	DSA-6255-1	php8.2 security update
Debian DSA	DSA-6256-1	php8.4 security update
Ubuntu USN	USN-8336-1	PHP vulnerabilities

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00134.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv
https://nvd.nist.gov/vuln/detail/CVE-2026-7262
https://www.cve.org/CVERecord?id=CVE-2026-7262

History

Wed, 20 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-7262 https://www.cve.org/CVERecord?id=CVE-2026-7262
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 12 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php Php php
CPEs		cpe:2.3:a:php:php::::::::
Vendors & Products		Php Php php
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 10 May 2026 06:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php Group Php Group php
Vendors & Products		Php Group Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
Title		NULL pointer dereference in SOAP apache:Map decoder with missing <value>
Weaknesses		CWE-476
References		https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv
Metrics		cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber'}`

Subscriptions

Php Php

Php Group Php

MITRE

Status: PUBLISHED

Assigner: php

Published: 2026-05-10T04:00:09.382Z

Updated: 2026-05-11T13:14:53.526Z

Reserved: 2026-04-28T05:09:37.127Z

Link: CVE-2026-7262

Vulnrichment

Updated: 2026-05-11T13:14:49.306Z

NVD

Status : Analyzed

Published: 2026-05-10T05:16:11.780

Modified: 2026-05-12T17:39:15.740

Link: CVE-2026-7262

Redhat

Severity : Important

Publid Date: 2026-05-10T04:00:09Z

Links: CVE-2026-7262 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-10T06:00:06Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object