High severity7.5NVD Advisory· Published May 10, 2026· Updated May 12, 2026
CVE-2026-7262
CVE-2026-7262
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
44- osv-coords42 versionspkg:apk/chainguard/php-8.2pkg:apk/wolfi/php-8.2pkg:bitnami/libphppkg:bitnami/phppkg:bitnami/php-minpkg:rpm/almalinux/apcu-panelpkg:rpm/almalinux/libzippkg:rpm/almalinux/libzip-develpkg:rpm/almalinux/libzip-toolspkg:rpm/almalinux/phppkg:rpm/almalinux/php-bcmathpkg:rpm/almalinux/php-clipkg:rpm/almalinux/php-commonpkg:rpm/almalinux/php-dbapkg:rpm/almalinux/php-dbgpkg:rpm/almalinux/php-develpkg:rpm/almalinux/php-embeddedpkg:rpm/almalinux/php-enchantpkg:rpm/almalinux/php-ffipkg:rpm/almalinux/php-fpmpkg:rpm/almalinux/php-gdpkg:rpm/almalinux/php-gmppkg:rpm/almalinux/php-intlpkg:rpm/almalinux/php-ldappkg:rpm/almalinux/php-mbstringpkg:rpm/almalinux/php-mysqlndpkg:rpm/almalinux/php-odbcpkg:rpm/almalinux/php-opcachepkg:rpm/almalinux/php-pdopkg:rpm/almalinux/php-pearpkg:rpm/almalinux/php-pecl-apcupkg:rpm/almalinux/php-pecl-apcu-develpkg:rpm/almalinux/php-pecl-redis6pkg:rpm/almalinux/php-pecl-rrdpkg:rpm/almalinux/php-pecl-xdebug3pkg:rpm/almalinux/php-pecl-zippkg:rpm/almalinux/php-pgsqlpkg:rpm/almalinux/php-processpkg:rpm/almalinux/php-snmppkg:rpm/almalinux/php-soappkg:rpm/almalinux/php-xmlpkg:rpm/opensuse/php8&distro=openSUSE%20Tumbleweed
< 8.2.31-r0+ 41 more
- (no CPE)range: < 8.2.31-r0
- (no CPE)range: < 8.2.31-r0
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: < 5.1.23-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 1.7.3-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 1.7.3-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 1.7.3-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 1:1.10.14-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 5.1.23-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 5.1.23-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 6.1.0-2.module_el9.6.0+151+5f31e576
- (no CPE)range: < 2.0.3-4.module_el9.6.0+151+5f31e576
- (no CPE)range: < 3.3.1-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 1.22.3-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.5.6-1.1
Patches
Vulnerability mechanics
References
1- github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vvnvdVendor Advisory
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026