Description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Published: 2026-05-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in PHP’s DOMNode::C14N() method, which can create an unintended circular linked list when processing certain XML inputs. This causes subsequent XML processing to enter an infinite loop, exhausting CPU resources and rendering the application unresponsive. The vulnerability is documented as CWE‑404 (Improper Handling of Resource) and CWE‑835 (Infinite Loop). The effect is purely a denial of service; the attacker can interrupt the normal operation of any application that relies on SOAP or XML parsing through this method.

Affected Systems

PHP versions 8.4.* prior to 8.4.21 and 8.5.* prior to 8.5.6 are vulnerable. The affected product is the PHP runtime provided by the PHP Group.

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is application‑level, where an attacker supplies crafted XML data to an endpoint that uses DOMNode::C14N(). Because the fault causes an infinite loop, an attacker could trigger a denial of service on the host running PHP. no prerequisite for code execution is required, and the impact is confined to the affected application or server.

Generated by OpenCVE AI on May 10, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to version 8.4.21 or later, or to version 8.5.6 or later, to include the fix for the faulty C14N handling.
  • If an upgrade is delayed, identify all code paths that invoke DOMNode::C14N() and either block untrusted XML or replace the call with a safer alternative; otherwise, reject malformed XML inputs.
  • Deploy application layer monitoring to detect long‑running XML processing tasks and apply rate limiting or circuit‑breaker logic to mitigate the impact until a patch is installed.

Generated by OpenCVE AI on May 10, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sun, 10 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Title DoS attack via DOMNode::C14N()
Weaknesses CWE-404
CWE-835
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber'}

Subscriptions

Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-10T04:46:28.150Z

Reserved: 2026-04-28T05:12:25.217Z

Link: CVE-2026-7263

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T06:16:08.343

Modified: 2026-05-10T06:16:08.343

Link: CVE-2026-7263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T07:30:05Z

Weaknesses