Red Hat Product Security released an advisory (RHSA-2026:1412) for PHP 8.2 on Red Hat Enterprise Linux 8 addressing six security vulnerabilities: CVE-2025-1220 (hostname null character vulnerability), CVE-2025-1735 (pgsql extension error checking omission), CVE-2025-6491 (NULL pointer dereference in SOAP extension), CVE-2025-14178 (heap-based buffer overflow in array_merge()), CVE-2025-14177 (information disclosure via getimagesize()), and CVE-2025-14180 (denial of service via invalid character sequence in PDO PostgreSQL prepared statements). The advisory includes updated packages to fix these issues. The vulnerabilities cover a range of weaknesses including CWE-918, CWE-476, CWE-125, and CWE-787. The vendor rates the update as Important and provides detailed instructions for applying the patch. No CVSS scores are provided in the advisory, and no exploits are known in the wild.

The vulnerabilities collectively could lead to denial of service, information disclosure, memory corruption, and error handling issues in PHP 8.2 environments running on Red Hat Enterprise Linux 8. The impact severity is rated Important by Red Hat, indicating significant security concerns that warrant timely patching. There are no reports of active exploitation in the wild at this time.

Red Hat has released updated PHP 8.2 packages for Red Hat Enterprise Linux 8 that address all listed vulnerabilities. Users should apply these official updates promptly following the guidance in Red Hat advisory RHSA-2026:1412 (https://access.redhat.com/articles/11258). Since this is an official fix, applying the vendor-provided patches is the recommended remediation. No additional mitigations are specified or required beyond applying the update.