PT-2026-39449 · Php+3 · Php+3

Ilia Alshanetsky

Published

2026-05-07

Updated

2026-06-04

CVE-2026-7262

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5

Description A mistake in the decoding process of a SOAP server with a configured typemap causes the system to check the wrong variable when a value element is missing. This results in a NULL pointer dereference, leading to a segmentation fault. A remote unauthenticated attacker can exploit this to crash the PHP SOAP server process, causing a denial of service.

Recommendations Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

Fix

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALSA-2026:22142

ALSA-2026:22143

ALSA-2026:22305

ALSA-2026:23388

BIT-LIBPHP-2026-7262

BIT-PHP-2026-7262

BIT-PHP-MIN-2026-7262

CVE-2026-7262

OESA-2026-2340

OESA-2026-2341

OESA-2026-2342

OESA-2026-2343

OESA-2026-2344

OPENSUSE-SU-2026:10747-1

USN-8336-1

Affected Products

Linuxmint

Php

Rocky Linux

Ubuntu

PT-2026-39449 · Php+3 · Php+3

CVE-2026-7262

Weakness Enumeration

Related Identifiers

Affected Products

References · 83