CVE-2026-7262

HIGH

NULL pointer dereference in SOAP apache:Map decoder with missing <value>

Title source: cna

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv

Scores

CVSS v3 7.5

EPSS 0.0013

EPSS Percentile 32.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (5)

php/php 8.2.0 - 8.2.31

PHP Group/PHP 8.2.* - 8.2.31

PHP Group/PHP 8.3.* - 8.3.31

PHP Group/PHP 8.4.* - 8.4.21

PHP Group/PHP 8.5.* - 8.5.6

Published May 10, 2026

Tracked Since May 10, 2026