CVE-2026-7262

high

Published 2026-05-10 · Modified 2026-06-01

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4 NEW

2.9

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber

VIR risk

7.5

Description

Important: php:8.2 security update

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description php: NULL pointer dereference in SOAP apache:Map decoder with missing <value> Red Hat statement To exploit this issue, a remote unauthenticated attacker needs to send a malicious request to be processed by the apache:Map decoder, causing a crash in the PHP SOAP server process. Due to this reason, this vulnerability has been rated with an important severity. CVSS v3: 7.5…

Description

php: NULL pointer dereference in SOAP apache:Map decoder with missing <value>

Red Hat statement

To exploit this issue, a remote unauthenticated attacker needs to send a malicious request to be processed by the apache:Map decoder, causing a crash in the PHP SOAP server process. Due to this reason, this vulnerability has been rated with an important severity.

CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`php:8.2-8100020260521052503.f7998665`	RHSA-2026:22305	2026-06-01T00:00:00Z
Red Hat Enterprise Linux 9	`php:8.3-9080020260521113736.9`	RHSA-2026:22142	2026-06-01T00:00:00Z
Red Hat Enterprise Linux 9	`php:8.2-9080020260521080715.9`	RHSA-2026:22143	2026-06-01T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`php`	Affected
Red Hat Enterprise Linux 10	`php8.4`	Affected
Red Hat Enterprise Linux 6	`php`	Not affected
Red Hat Enterprise Linux 7	`php`	Not affected
Red Hat Enterprise Linux 8	`php:7.4/php`	Not affected
Red Hat Enterprise Linux 9	`php`	Not affected
Red Hat Hardened Images	`php`	Not affected

Apply commands

bash fix

Apply RHSA-2026:22305 for Red Hat Enterprise Linux 8

yum update -y php:8
# or:
dnf upgrade -y php:8

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 6	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`
redhat	Red Hat Enterprise Linux 9	`Not affected`
redhat	Red Hat Hardened Images	`Not affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Windows Affected 1 release

Version	Status	Fixed in
—	Affected	—

AlmaLinux Fixed 2 releases

Version	Status	Fixed in
9	Fixed	`apcu-panel-5.1.23-1.module_el9.6.0+151+5f31e576.noarch.rpm`
8	Fixed	`apcu-panel-5.1.23-1.module_el8.10.0+3796+30ed3ef7.noarch.rpm`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`8.4.21-1~deb13u1`
sid	Fixed	`8.4.21-1`
forky	Fixed	`8.4.21-1`
bullseye	Fixed	`7.4.33-1+deb11u11`
bookworm	Fixed	`8.2.31-1~deb12u1`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Application impact

Vendor	Product	Versions	Fixed
php	php	`{"startIncluding":"8.2.0","endExcluding":"8.2.31"}`	`8.2.31`

References

CWEs

CWE-476

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.