CVE-2026-7262 LOW

CVE-2026-7262: NULL pointer dereference in SOAP apache:Map decoder with missing <value>

Vendor Php Group

Product PHP

Weakness CWE-476

Published May 10, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

2.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber

What the vulnerability does

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

Key dates

Disclosure timeline

May 10, 2026 CVE published

May 11, 2026 Record updated

Identifiers

CVE CVE-2026-7262

CWE CWE-476

CVSS 2.9 / LOW

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.31

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.31

Vendor Php Group

Product PHP

Affected ≥ 8.4.* and < 8.4.21

Vendor Php Group

Product PHP

Affected ≥ 8.5.* and < 8.5.6