CVE-2026-7262

Incorrect variable dereference in SOAP decoding

Publication Date	2026-05-10
Severity	Low
Type	Denial of Service
Affected PHP Versions	7.1.0-7.1.33 7.2.0-7.2.34 7.3.0-7.3.33 7.4.0-7.4.33 8.0.0-8.0.30 8.1.0-8.1.34 8.2.0-8.2.30 8.3.0-8.3.30 8.4.0-8.4.20 8.5.0-8.5.5
Fixed Product Versions	ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendPHP 8.5 ZendServer 2021.4.5

CVE Details

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferencing a NULL pointer, causing a segmentation fault.

Recommendations

If using the SOAP extension for use as a SOAP server, we recommend updating to a patched PHP version.

< View all CVEs