Description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Published: 2026-05-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in PHP’s DOMNode::C14N() method, which can create an unintended circular linked list when processing certain XML inputs. This causes subsequent XML processing to enter an infinite loop, exhausting CPU resources and rendering the application unresponsive. The vulnerability is documented as CWE‑404 (Improper Handling of Resource) and CWE‑835 (Infinite Loop). The effect is purely a denial of service; the attacker can interrupt the normal operation of any application that relies on SOAP or XML parsing through this method.

Affected Systems

PHP versions 8.4.* prior to 8.4.21 and 8.5.* prior to 8.5.6 are vulnerable. The affected product is the PHP runtime provided by the PHP Group.

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is application‑level, where an attacker supplies crafted XML data to an endpoint that uses DOMNode::C14N(). Because the fault causes an infinite loop, an attacker could trigger a denial of service on the host running PHP. no prerequisite for code execution is required, and the impact is confined to the affected application or server.

Generated by OpenCVE AI on May 10, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to version 8.4.21 or later, or to version 8.5.6 or later, to include the fix for the faulty C14N handling.
  • If an upgrade is delayed, identify all code paths that invoke DOMNode::C14N() and either block untrusted XML or replace the call with a safer alternative; otherwise, reject malformed XML inputs.
  • Deploy application layer monitoring to detect long‑running XML processing tasks and apply rate limiting or circuit‑breaker logic to mitigate the impact until a patch is installed.

Generated by OpenCVE AI on May 10, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
Ubuntu USN Ubuntu USN USN-8336-1 PHP vulnerabilities
History

Sat, 30 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 12 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Php
Php php
CPEs cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Vendors & Products Php
Php php
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Title DoS attack via DOMNode::C14N()
Weaknesses CWE-404
CWE-835
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber'}

Subscriptions

Php Php
Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-11T13:04:26.399Z

Reserved: 2026-04-28T05:12:25.217Z

Link: CVE-2026-7263

cve-icon Vulnrichment

Updated: 2026-05-11T13:04:18.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-10T06:16:08.343

Modified: 2026-05-12T17:35:49.510

Link: CVE-2026-7263

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-10T04:43:04Z

Links: CVE-2026-7263 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T07:30:05Z

Weaknesses