{
  "threat_severity" : "Important",
  "public_date" : "2026-05-10T04:43:04Z",
  "bugzilla" : {
    "description" : "php: denial of service via DOMNode::C14N()",
    "id" : "2468572",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468572"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-835",
  "details" : [ "A flaw was found in PHP. The `DOMNode::C14N()` method may incorrectly process XML data due to the improper removal of an `xmlns` attribute from the underlying libxml2 data structure, corrupting the linked list representing the XML document and causing an infinite loop. This issue can lead to excessive resource consumption, eventually resulting in a denial of service in the processing application." ],
  "statement" : "To exploit this issue, an attacker needs to be able to supply specially crafted XML data to be processed by the `DOMNode::C14N()` method. This can trigger an infinite loop, causing excessive resource consumption, eventually resulting in a denial of service in the program processing the data. As this flaw allows an unauthenticated and remote attacker to cause a denial of service, it has been rated with an important severity.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "php8.4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "php:7.4/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "php:8.2/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "php:8.2/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "php:8.3/php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-7263\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7263\nhttps://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733" ],
  "name" : "CVE-2026-7263",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}