Fluid Attacks Database

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	php8.4	=8.4.11-1 \|\| =8.4.16-1 \|\| =8.4.16-1~deb13u1 \|\| =8.4.20-1 \|\| >=0 <8.4.21-1~deb13u1	8.4.21-1~deb13u1
debian 11	php7.4	=7.4.21-1+deb11u1 \|\| =7.4.25-1+deb11u1 \|\| =7.4.26-1 \|\| =7.4.28-1+deb11u1 \|\| =7.4.30-1+deb11u1 \|\| =7.4.33-1+deb11u1 \|\| =7.4.33-1+deb11u10 \|\| =7.4.33-1+deb11u3 \|\| =7.4.33-1+deb11u4 \|\| =7.4.33-1+deb11u5 \|\| =7.4.33-1+deb11u6 \|\| =7.4.33-1+deb11u7 \|\| =7.4.33-1+deb11u8 \|\| =7.4.33-1+deb11u9 \|\| >=0 <7.4.33-1+deb11u11	7.4.33-1+deb11u11
debian 12	php8.2	=8.2.10-1 \|\| =8.2.10-2 \|\| =8.2.12-1 \|\| =8.2.16-1 \|\| =8.2.16-2 \|\| =8.2.17-1 \|\| =8.2.18-1 \|\| =8.2.18-1~deb12u1 \|\| =8.2.20-1~deb12u1 \|\| =8.2.20-2 \|\| =8.2.20-3 \|\| =8.2.21-1 \|\| =8.2.23-1 \|\| =8.2.24-1 \|\| =8.2.24-1~deb12u1 \|\| =8.2.26-1~deb12u1 \|\| =8.2.26-4 \|\| =8.2.27-1 \|\| =8.2.28-1~deb12u1 \|\| =8.2.29-1~deb12u1 \|\| =8.2.30-1~deb12u1 \|\| =8.2.5-2 \|\| =8.2.7-1 \|\| =8.2.7-1.1 \|\| =8.2.7-1.2 \|\| =8.2.7-1~deb12u1 \|\| >=0 <8.2.31-1~deb12u1	8.2.31-1~deb12u1
debian 14	php8.4	=8.4.11-1 \|\| =8.4.16-1 \|\| =8.4.16-1~deb13u1 \|\| =8.4.20-1 \|\| =8.4.21-1~deb13u1 \|\| >=0 <8.4.21-1	8.4.21-1
rpm rhel10	php	<0:8.3.31-1.el10_2	0:8.3.31-1.el10_2
rpm rhel8	php	<0:8.2.31-1.module+el8.10.0+24323+abc2b0db	0:8.2.31-1.module+el8.10.0+24323+abc2b0db
rpm rhel9	php	<0:8.2.31-1.module+el9.8.0+24325+74f58d38	0:8.2.31-1.module+el9.8.0+24325+74f58d38
rpm rhel10	php8.4	<0:8.4.21-1.el10_2	0:8.4.21-1.el10_2

Aliases

1. CVE-2026-72622. NVD-2026-72623. OSV-DEBIAN-2026-72624. OSV-2026-72625. SECURITY-TRACKER-CVE-2026-7262

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.