This Red Hat security advisory (RHSA-2026:22305) addresses four vulnerabilities in the php:8.2 module for Red Hat Enterprise Linux 8. The vulnerabilities include: (1) CVE-2026-7258, a denial of service caused by improper handling of signed characters in ctype functions; (2) CVE-2026-6735, a cross-site scripting (XSS) vulnerability in PHP-FPM due to improper URL sanitation; (3) CVE-2026-7262, a NULL pointer dereference in the SOAP apache:Map decoder when a <value> is missing; and (4) CVE-2026-7568, a signed integer overflow in the metaphone() function. Red Hat has released updated php:8.2 packages that fix these issues. The advisory applies to multiple architectures and extended life cycle versions of Red Hat Enterprise Linux 8. No CVSS scores are provided in the advisory, but the update is rated as important.

The vulnerabilities collectively could allow denial of service conditions, cross-site scripting attacks, and potential application crashes due to NULL pointer dereference or integer overflow in PHP environments running on affected Red Hat Enterprise Linux 8 systems. The XSS vulnerability (CVE-2026-6735) could enable attackers to execute arbitrary scripts in the context of affected web applications using PHP-FPM. The denial of service and NULL pointer dereference issues could disrupt service availability. No known exploits in the wild have been reported, but the issues pose a high security risk if left unpatched.

Red Hat has released updated php:8.2 packages for Red Hat Enterprise Linux 8 that address these vulnerabilities. Users should apply the security update as detailed in Red Hat advisory RHSA-2026:22305 and the referenced article https://access.redhat.com/articles/11258 to remediate these issues. Since this is a traditional software package, remediation requires applying the vendor-provided update. There is no indication that the vulnerabilities are already mitigated or require no action. Patch status is confirmed by the vendor advisory.