← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-7262 · CWE-476 · Disclosed 2026-05-10

In PHP versions 8

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a fire alarm wired to one odd storage closet, not a master key to the building

CVE-2026-7262 is a NULL-pointer crash in PHP ext-soap when SoapServer decodes an apache:Map element that is missing a <value> node. The vulnerable ranges are PHP 8.2 before 8.2.31, 8.3 before 8.3.31, 8.4 before 8.4.21, and 8.5 before 8.5.6; downstream distros may instead ship backported package builds such as Debian php8.2 8.2.31-1~deb12u1, php8.4 8.4.21-1~deb13u1, and Bullseye LTS php7.4 7.4.33-1+deb11u11.

The headline 7.5/High label is too hot for real enterprise triage. The attack is network-reachable only if you expose a PHP SOAP server endpoint, and the buggy branch is reachable only when the application has a typemap configured; even then the practical impact is availability loss via segfault, which in common php-fpm deployments usually kills a worker and gets respawned rather than handing the attacker code execution or durable access.

"Unauthenticated and remote, yes—but only against a narrow PHP SOAP typemap path, and the real outcome is usually a worker crash, not a foothold."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable SOAP endpoint

The attacker first needs an internet- or intranet-reachable PHP application that actually uses SoapServer. In practice this means an exposed legacy integration endpoint, not just any PHP website. Commodity tooling here is just recon with curl, Burp, or generic HTTP discovery; there is no unique wire-level fingerprint for 'typemap-enabled PHP SOAP' from internet census alone.
Conditions required:
  • HTTP/S reachability to the target application
  • The application must implement server-side SOAP with PHP ext-soap
Where this breaks in practice:
  • Most modern PHP estates are REST/JSON, not SOAP
  • Many SOAP interfaces sit behind VPNs, partner allowlists, API gateways, or internal networks
  • A PHP install can have ext-soap present without any reachable SoapServer endpoint
Detection/coverage: Internet scanners can find generic SOAP surfaces, but not this vulnerable code path specifically. External attack-surface tools will overcount because presence of PHP or SOAP is not enough.
STEP 02

Hit the narrow typemap code path

The crash is not triggered by all SOAP requests. The request must drive to_zval_map() through apache:Map decoding while the server-side SoapServer is configured with a typemap; GitHub's advisory shows a minimal request body and constructor example. Weaponized tooling is unnecessary because the advisory itself contains a workable request structure.
Conditions required:
  • The endpoint must parse attacker-supplied SOAP XML
  • The server-side PHP code must instantiate SoapServer with a non-empty typemap
Where this breaks in practice:
  • Typemap use is a niche application design choice
  • WSDL/schema and app logic may reject malformed or unexpected payloads before the vulnerable branch
  • Reverse proxies, API gateways, or body validation middleware can block obviously malformed XML
Detection/coverage: Remote scanners generally cannot verify typemap use. SAST/SBOM can flag vulnerable PHP versions, but they still cannot prove exploitability without app context.
STEP 03

Send malformed apache:Map payload

Using curl, Burp Repeater, or any HTTP client, the attacker sends an apache:Map item with a <key> but no <value>. Due to the wrong NULL check, PHP dereferences the missing node during decoding and segfaults. This is low-complexity once the right endpoint and code path are found.
Conditions required:
  • Attacker can send arbitrary SOAP request bodies
  • No upstream control strips or blocks the malformed map payload
Where this breaks in practice:
  • Some gateways normalize or reject malformed SOAP/XML
  • Per-request worker isolation can reduce visible blast radius to one request slot
  • Rate limiting can turn a trivial crash into a noisy but containable nuisance
Detection/coverage: Web logs may show malformed SOAP requests; application or php-fpm logs can show segfaults or abrupt worker exits. Network IDS coverage is likely weak unless you add a custom signature for apache:Map items missing <value>.
STEP 04

Cause service degradation, not takeover

The practical outcome is denial of service against the PHP process handling the request. On a single-process or poorly supervised deployment this can mean a hard outage; on typical multi-worker php-fpm or Apache setups it is more often a crash-and-respawn event that needs repeated requests to sustain impact.
Conditions required:
  • Supervision or worker recycling does not fully mask the crash impact
  • Attacker can repeat requests fast enough to matter
Where this breaks in practice:
  • Process managers usually respawn crashed workers
  • Load balancers and multiple app nodes dilute single-worker failures
  • No confidentiality or integrity impact has been documented
Detection/coverage: EDR and host telemetry can see process crashes, while uptime monitors will see intermittent 5xx spikes. Nessus/Tenable provide package-level detection, not proof of exploitable app configuration.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found during review. CISA KEV does not list CVE-2026-7262, and I found no credible campaign reporting tied to this CVE.
Proof-of-concept availabilityPublic trigger logic exists, but not a notable weaponized repo. The GitHub advisory includes a working example request and the fixing commit adds a regression test (GHSA-hmxp-6pc4-f3vv.phpt) that effectively documents reproduction.
EPSSVery low. Third-party trackers currently show about 0.08%–0.13% probability, roughly the low quartile to low third of scores; that lines up with a niche DoS bug rather than a breakout exploit.
KEV statusNot KEV-listed. No CISA catalog entry located for this CVE as of the review date.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H captures the unauthenticated network path, but it overstates real enterprise urgency because it ignores the extra deployment requirement: a reachable PHP SOAP server using typemap. PHP's own GHSA uses CVSS v4 6.3 Moderate with AT:P, which better reflects the prerequisite-heavy path.
Affected versionsPHP 8.2.0–8.2.30, 8.3.0–8.3.30, 8.4.0–8.4.20, and 8.5.0–8.5.5 in upstream numbering. Debian also tracked affected branches including php7.4 in Bullseye LTS until its own backport landed.
Fixed versionsUpstream fixes: 8.2.31, 8.3.31, 8.4.21, 8.5.6. Backports: Debian lists php8.2 8.2.31-1~deb12u1, php8.4 8.4.21-1~deb13u1, and php7.4 7.4.33-1+deb11u11 as fixed package versions.
Scanner and detection coveragePackage-level coverage exists. Tenable/Nessus ships distro/package detection for the CVE, but remote exploitability is app-specific and depends on SoapServer plus typemap, which scanners usually cannot prove externally.
Exposure censusNo dependable internet-wide count. Shodan/Censys-style exposure numbers would be misleading here because the vulnerable condition is a feature-level application choice, not a reliably fingerprintable product banner. That is an inference from the advisory's prerequisite chain, not a direct vendor statement.
Disclosure and creditDisclosed 2026-05-10. The fixing commit and regression test credit Ilia Alshanetsky (iliaal) for the issue.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.3/10)

The decisive downgrading factor is the deployment prerequisite chain: the attacker needs a reachable PHP SOAP server endpoint that also uses the uncommon typemap feature. That makes this a narrow, app-specific availability bug, not a broad PHP internet emergency despite the unauthenticated network vector.

HIGH Technical impact is denial of service via NULL dereference, not data theft or code execution
MEDIUM Real-world exposure prevalence of `SoapServer` with `typemap` in enterprise fleets
HIGH No current KEV or public exploitation evidence

Why this verdict

  • Start from 7.5, then subtract for reachability reality: CVSS assumes any network path is equally reachable; in practice this only matters where a PHP SOAP server endpoint is actually exposed.
  • Subtract again for app-level prerequisite: exploitation requires SoapServer *and* a configured typemap, which is a meaningful narrowing of the affected population.
  • Keep it at MEDIUM, not LOW, because it is still unauthenticated remote: once the right endpoint exists, the request is simple and the advisory practically hands you the trigger.
  • No exploitation amplifier present: no KEV listing, no observed campaign reporting, and a very low EPSS all argue against emergency handling.
  • Blast radius is usually bounded: common php-fpm or supervised web stacks respawn workers, so many deployments see transient degradation rather than sustained single-packet outage.

Why not higher?

This is not a broad internet-kill switch for 'all PHP.' The exploit path depends on a reachable SOAP server endpoint and the relatively uncommon typemap configuration, and the documented outcome is availability loss only. Without evidence of large-scale exposure or active exploitation, there is no reason to keep this in HIGH.

Why not lower?

I am not dropping it to LOW because the attacker does not need credentials or user interaction. If you do run a reachable SOAP service with typemap, the crash path is straightforward and repeatable, so externally exposed integration nodes still deserve attention.

05 · Compensating Control

What to do — in priority order.

  1. Restrict SOAP endpoints — Put externally reachable SOAP services behind partner IP allowlists, VPN, or API gateway policy where possible. For a MEDIUM verdict there is no mitigation SLA — use this as an interim hardening step if patching will wait inside the 365-day remediation window.
  2. Rate-limit and circuit-break — Apply per-client request throttling and fast-fail thresholds on SOAP paths so repeated worker crashes cannot turn into sustained service exhaustion. For MEDIUM, there is no mitigation SLA — deploy on internet-facing SOAP services now if those services must remain on vulnerable builds for a while.
  3. Add XML/SOAP request validation at the edge — If you have an API gateway, WAF, or custom proxy capable of SOAP-aware inspection, block malformed apache:Map payloads that omit <value> nodes. For MEDIUM, there is no mitigation SLA — prioritize only the externally exposed SOAP paths where business ownership confirms SoapServer usage.
  4. Monitor php-fpm and web worker crash loops — Alert on repeated worker exits, segfaults, and short-lived php-fpm children tied to SOAP routes so attempted exploitation becomes visible before it becomes an outage. For MEDIUM, there is no mitigation SLA — wire this into normal operational monitoring while you patch within the remediation window.
What doesn't work
  • MFA does nothing here because the documented path is unauthenticated and request-driven.
  • Generic EDR alone does not prevent the crash; it may record the worker exit after impact.
  • Upgrading libxml or the OS without updating PHP/ext-soap misses the bug because the faulty NULL check is in PHP's SOAP extension logic.
  • SBOM-only triage is insufficient because version presence does not prove the reachable SoapServer+typemap condition.
06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host or container image that serves the PHP application, not from an auditor workstation. Invoke it as sudo bash verify-cve-2026-7262.sh /var/www or point it at your app root; root is not strictly required, but you need read access to PHP binaries, package metadata, and application source paths to avoid UNKNOWN results.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-cve-2026-7262.sh
# Checks for likely exposure to CVE-2026-7262 on Linux PHP hosts.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

SEARCH_ROOT="${1:-/var/www}"

found_php=0
found_vuln_version=0
found_soap=0
found_soapserver_code=0
found_typemap_code=0
unknown=0
summary=()

ver_lt() {
  [ "$1" = "$2" ] && return 1
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

is_vulnerable_upstream() {
  local v="$1"
  case "$v" in
    8.2.*) ver_lt "$v" "8.2.31" ; return $? ;;
    8.3.*) ver_lt "$v" "8.3.31" ; return $? ;;
    8.4.*) ver_lt "$v" "8.4.21" ; return $? ;;
    8.5.*) ver_lt "$v" "8.5.6" ; return $? ;;
    *) return 1 ;;
  esac
}

check_php_bin() {
  local bin="$1"
  command -v "$bin" >/dev/null 2>&1 || return 0
  found_php=1

  local version
  version="$($bin -r 'echo PHP_VERSION;' 2>/dev/null || true)"
  if [ -z "$version" ]; then
    unknown=1
    summary+=("$bin:version-unknown")
    return 0
  fi

  local has_soap
  has_soap="$($bin -r 'echo extension_loaded("soap") ? "yes" : "no";' 2>/dev/null || true)"
  if [ "$has_soap" = "yes" ]; then
    found_soap=1
    summary+=("$bin:$version:soap")
  else
    summary+=("$bin:$version:no-soap")
  fi

  if is_vulnerable_upstream "$version"; then
    found_vuln_version=1
    summary+=("$bin:$version:upstream-vulnerable-range")
  fi
}

# Common PHP binary names
for b in php php8.2 php8.3 php8.4 php8.5; do
  check_php_bin "$b"
done

# Package manager hints for backports
if command -v dpkg-query >/dev/null 2>&1; then
  pkg_info=$(dpkg-query -W -f='${Package} ${Version}\n' 'php*' 2>/dev/null | grep -E '^(php|php[0-9]\.[0-9]|php[0-9]\.[0-9]-soap|php-soap) ' || true)
  [ -n "$pkg_info" ] && summary+=("dpkg-packages-detected")
fi

if command -v rpm >/dev/null 2>&1; then
  pkg_info_rpm=$(rpm -qa 2>/dev/null | grep -E '^php([0-9]{2}|[0-9]\.[0-9])?(-soap)?-' || true)
  [ -n "$pkg_info_rpm" ] && summary+=("rpm-packages-detected")
fi

# Source search for SoapServer + typemap usage
if [ -d "$SEARCH_ROOT" ]; then
  if grep -RIl --include='*.php' 'new[[:space:]]\+SoapServer' "$SEARCH_ROOT" >/dev/null 2>&1; then
    found_soapserver_code=1
    summary+=("soapserver-code-found")
  fi
  if grep -RIl --include='*.php' "['\"]typemap['\"]\s*=>\|typemap\s*=>" "$SEARCH_ROOT" >/dev/null 2>&1; then
    found_typemap_code=1
    summary+=("typemap-code-found")
  fi
else
  unknown=1
  summary+=("search-root-missing:$SEARCH_ROOT")
fi

# Decision logic
if [ "$found_php" -eq 0 ]; then
  echo "UNKNOWN - no PHP binary found in PATH; $(IFS=,; echo "${summary[*]}")"
  exit 2
fi

if [ "$found_vuln_version" -eq 0 ]; then
  echo "PATCHED - no upstream-vulnerable PHP branch/version found; $(IFS=,; echo "${summary[*]}")"
  exit 0
fi

if [ "$found_soap" -eq 0 ]; then
  echo "PATCHED - vulnerable-version PHP found, but soap extension not loaded in checked binaries; $(IFS=,; echo "${summary[*]}")"
  exit 0
fi

if [ "$found_soapserver_code" -eq 1 ] && [ "$found_typemap_code" -eq 1 ]; then
  echo "VULNERABLE - vulnerable PHP version + soap loaded + SoapServer code + typemap usage found; $(IFS=,; echo "${summary[*]}")"
  exit 1
fi

if [ "$found_soapserver_code" -eq 1 ] || [ "$found_typemap_code" -eq 1 ] || [ "$unknown" -eq 1 ]; then
  echo "UNKNOWN - vulnerable PHP version + soap loaded, but app-level exploitability could not be fully confirmed; $(IFS=,; echo "${summary[*]}")"
  exit 2
fi

echo "UNKNOWN - vulnerable PHP version + soap loaded, but no SoapServer/typemap evidence found under $SEARCH_ROOT; $(IFS=,; echo "${summary[*]}")"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like a fleetwide PHP fire drill; treat it like a targeted hunt for exposed SOAP integrations. First, identify internet-facing or partner-facing PHP SOAP services and confirm whether they use SoapServer with typemap; if they do and cannot be patched immediately, restrict exposure and add throttling/edge validation as interim controls. For a MEDIUM verdict there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window, and the noisgate remediation SLA is to land the vendor or distro fix within 365 days; use that full window only for non-exposed or clearly non-typemap deployments, not for business-critical external SOAP endpoints you already know are in scope.

Sources

  1. PHP Group GitHub advisory GHSA-hmxp-6pc4-f3vv
  2. NVD CVE-2026-7262
  3. PHP 8 changelog
  4. Fix commit 79551ab
  5. Ubuntu CVE tracker
  6. Debian security tracker
  7. CISA Known Exploited Vulnerabilities Catalog
  8. Snyk vulnerability record with EPSS
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.