CVE-2026-7262
Segmentation Fault in PHP SOAP Server Due to NULL Pointer Dereference
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7262 is a vulnerability in PHP's SOAP extension that occurs when a SOAP server has a typemap configured. The issue arises in the decoding process of SOAP requests, specifically in the function that handles apache:Map nodes. The function incorrectly checks for a missing <key> node but fails to properly validate the <value> node. When the <value> node is missing, this leads to a NULL pointer dereference, causing a segmentation fault.
An attacker can exploit this by sending a specially crafted SOAP request with an apache:Map node missing the <value> element, which crashes the PHP SOAP server process.
How can this vulnerability impact me? :
This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by crashing the PHP SOAP server process through a segmentation fault.
The impact is limited to system availability, meaning the server running the vulnerable PHP SOAP service can be made unavailable, potentially disrupting services that rely on it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in PHP SOAP server processes, especially when typemap configuration is used.
Detection can also involve inspecting SOAP requests for specially crafted apache:Map nodes missing the <value> element, which trigger the vulnerability.
While no specific commands are provided in the resources, general approaches include:
- Checking PHP version to confirm if it is before the patched versions (8.2.31, 8.3.31, 8.4.21, 8.5.6) using: php -v
- Monitoring system logs or PHP error logs for segmentation faults related to the SOAP server.
- Using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture and analyze SOAP requests for malformed apache:Map nodes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PHP to a patched version where this vulnerability is fixed.
- Upgrade PHP to version 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
If upgrading immediately is not possible, consider disabling or restricting the use of the SOAP extension or typemap configuration to prevent exploitation.
Additionally, monitor the SOAP server for unusual crashes and apply network-level protections to limit access to the SOAP service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by crashing the PHP SOAP server process through a NULL pointer dereference. The impact is limited to system availability.
While the vulnerability affects system availability, there is no direct information provided about data confidentiality, integrity, or privacy breaches that would impact compliance with standards such as GDPR or HIPAA.
However, denial-of-service attacks can indirectly affect compliance by disrupting services that handle sensitive data, potentially violating availability requirements in these regulations.