This Red Hat security advisory (RHSA-2026:1409) addresses six vulnerabilities in the php:8.2 module used in Red Hat Enterprise Linux 9. The issues include: CVE-2025-1220 (hostname null character vulnerability), CVE-2025-1735 (pgsql extension error checking omission), CVE-2025-6491 (NULL pointer dereference in SOAP extension), CVE-2025-14178 (heap-based buffer overflow in array_merge()), CVE-2025-14177 (information disclosure via getimagesize()), and CVE-2025-14180 (denial of service via invalid character sequence in PDO PostgreSQL prepared statements). Red Hat has released updated php:8.2 packages to fix these vulnerabilities. The advisory confirms the availability of patches and provides detailed package versions for remediation.

The vulnerabilities collectively pose risks including potential denial of service, information disclosure, memory corruption, and application crashes in PHP environments running on affected Red Hat Enterprise Linux 9 systems. The hostname null character vulnerability and buffer overflow could be exploited to cause unexpected behavior or crashes. Information disclosure via image processing could leak sensitive data. The denial of service vulnerability could disrupt services relying on PDO PostgreSQL prepared statements. Red Hat rates the overall security impact as Important (high severity). There are no known exploits in the wild at the time of the advisory.

Red Hat has released an official security update for the php:8.2 module in Red Hat Enterprise Linux 9 that addresses all listed vulnerabilities. Users should apply the update as soon as possible following Red Hat's published guidance at https://access.redhat.com/articles/11258. The advisory confirms that the update fixes the vulnerabilities, so applying the patch is the recommended and effective mitigation. No additional vendor-recommended mitigations or workarounds are indicated.