Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-10T04:00:09 php: NULL pointer dereference in SOAP apache:Map decoder with missing <value> 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-476

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

A flaw was found in PHP. When a PHP SOAP server has a typemap configured, the apache:Map decoding process checks the incorrect variable in case of a missing value element. This incorrect check leads to a NULL pointer dereference and allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in a denial of service.

To exploit this issue, a remote unauthenticated attacker needs to send a malicious request to be processed by the apache:Map decoder, causing a crash in the PHP SOAP server process. Due to this reason, this vulnerability has been rated with an important severity. Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible. Red Hat Enterprise Linux 10 2026-06-02T00:00:00Z RHSA-2026:22649 php8.4-0:8.4.21-1.el10_2 Red Hat Enterprise Linux 10 2026-06-04T00:00:00Z RHSA-2026:23388 php-0:8.3.31-1.el10_2 Red Hat Enterprise Linux 8 2026-06-01T00:00:00Z RHSA-2026:22305 php:8.2-8100020260521052503.f7998665 Red Hat Enterprise Linux 9 2026-06-01T00:00:00Z RHSA-2026:22142 php:8.3-9080020260521113736.9 Red Hat Enterprise Linux 9 2026-06-01T00:00:00Z RHSA-2026:22143 php:8.2-9080020260521080715.9 Red Hat Enterprise Linux 6 Not affected php Red Hat Enterprise Linux 7 Not affected php Red Hat Enterprise Linux 8 Not affected php:7.4/php Red Hat Enterprise Linux 9 Not affected php Red Hat Hardened Images Not affected php https://www.cve.org/CVERecord?id=CVE-2026-7262 https://nvd.nist.gov/vuln/detail/CVE-2026-7262 https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv