{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-10T04:28:14Z",
  "bugzilla" : {
    "description" : "PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions",
    "id" : "2468561",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468561"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-839",
  "details" : [ "A flaw was found in PHP. Some functions, including `urldecode()`, incorrectly pass signed characters to character type (ctype) functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service (DoS), making the affected PHP application or system unavailable." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:14125",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "php-main-8.5.6-1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "php8.4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "php:7.4/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "php:8.2/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "php:8.2/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "php:8.3/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/code-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-7258\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7258\nhttps://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4" ],
  "name" : "CVE-2026-7258",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}