CVE-2026-7262
published 2026-05-10CVE-2026-7262: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.76%
50.6th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php8.4 | — | — |
| php | php | — | — |
| php | php | >= 8.2.0 < 8.2.31 | 8.2.31 |
| php | php | >= 8.3.0 < 8.3.31 | 8.3.31 |
| php | php | >= 8.4.0 < 8.4.21 | 8.4.21 |
| php | php | >= 8.5.0 < 8.5.6 | 8.5.6 |
| php_7.4 | php | — | — |
| php_8.2 | php | — | — |
| php_8.3 | php | — | — |
| php_group | php | >= 8.2.* < 8.2.31 | 8.2.31 |
| php_group | php | >= 8.3.* < 8.3.31 | 8.3.31 |
| php_group | php | >= 8.4.* < 8.4.21 | 8.4.21 |
| php_group | php | >= 8.5.* < 8.5.6 | 8.5.6 |
| ubuntu | php8.1 | — | — |
| ubuntu | php8.3 | — | — |
| ubuntu | php8.4 | — | — |
| ubuntu | php8.5 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.02.9LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber
vendor_ubuntu7.4HIGH
vendor_redhat2.9LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 SOAP Server null pointer dereference (GHSA-hmxp-6pc4-f3vv / Nessus ID 313734)
vuldb·2026-06-02·CVSS 2.9
CVE-2026-7262 [LOW] PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 SOAP Server null pointer dereference (GHSA-hmxp-6pc4-f3vv / Nessus ID 313734)
A vulnerability was found in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 and classified as problematic. The affected element is an unknown function of the component SOAP Server Handler. The manipulation results in null pointer dereference.
This vulnerability was named CVE-2026-7262. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2026-05-28·CVSS 7.4
CVE-2026-7259 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PH
Red Hat
php: NULL pointer dereference in SOAP apache:Map decoder with missing <value>
vendor_redhat·2026-05-10·CVSS 2.9
CVE-2026-7262 [LOW] CWE-476 php: NULL pointer dereference in SOAP apache:Map decoder with missing <value>
php: NULL pointer dereference in SOAP apache:Map decoder with missing
A flaw was found in PHP. When a PHP SOAP server has a typemap configured, the apache:Map decoding process checks the incorrect variable in case of a missing value element. This incorrect check leads to a NULL pointer dereference and allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in a denial of service.
Statement: To exploit this issue, a remote unauthenticated attacker needs to send a malicious request to be processed by the apache:Map decoder, causing a crash in the PHP SOAP server process. Due to this reason, this vulnerability has been rated with an important severity.
Mitigation: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-7262 php: NULL pointer dereference in SOAP apache:Map decoder with missing <value>
bugzilla·2026-05-10·CVSS 2.9
CVE-2026-7262 [LOW] CVE-2026-7262 php: NULL pointer dereference in SOAP apache:Map decoder with missing <value>
CVE-2026-7262 php: NULL pointer dereference in SOAP apache:Map decoder with missing
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vvhttps://access.redhat.com/errata/RHSA-2026:22142https://access.redhat.com/errata/RHSA-2026:22143https://access.redhat.com/errata/RHSA-2026:22305https://access.redhat.com/errata/RHSA-2026:22649https://access.redhat.com/errata/RHSA-2026:23388https://access.redhat.com/security/cve/CVE-2026-7262https://bugzilla.redhat.com/show_bug.cgi?id=2468565https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7262.json
2026-05-10
Published