This Red Hat security advisory (RHSA-2026:2470) addresses multiple vulnerabilities in PHP 7.4 distributed with Red Hat Enterprise Linux 8. The vulnerabilities include a heap buffer over-read in mysqlnd (CVE-2024-8929), single byte overread in quoted-printable decoding (CVE-2024-11233), CRLF injection via proxy configuration in stream contexts (CVE-2024-11234), HTTP stream wrapper header parsing flaws (CVE-2025-1217, CVE-2025-1734, CVE-2025-1736, CVE-2025-1861), incorrect content-type handling in libxml streams (CVE-2025-1219), error checking omission in pgsql extension (CVE-2025-1735), NULL pointer dereference in SOAP extension (CVE-2025-6491), hostname null character vulnerability (CVE-2025-1220), heap-based buffer overflow in array_merge() (CVE-2025-14178), and information disclosure in getimagesize() (CVE-2025-14177). These issues collectively represent moderate security risks and have been addressed in updated PHP 7.4 packages for Red Hat Enterprise Linux 8.

The vulnerabilities collectively could lead to partial information disclosure, denial of service via crashes (NULL pointer dereference, buffer overflows), injection attacks (CRLF injection), and incorrect handling of authentication headers. The advisory rates the overall security impact as moderate. No known exploits in the wild have been reported at this time.

Red Hat has released updated PHP 7.4 packages for Red Hat Enterprise Linux 8 that address all listed vulnerabilities. Users should apply these official updates promptly following Red Hat's guidance at https://access.redhat.com/articles/11258. Since this is an official fix, applying the update fully mitigates the vulnerabilities. No additional mitigation steps are indicated by the vendor advisory.