This advisory covers four security vulnerabilities in PHP 8.3 as packaged by Red Hat for Red Hat Enterprise Linux 9. The vulnerabilities include: 1) CVE-2026-7258, a denial of service caused by improper handling of signed characters in ctype functions; 2) CVE-2026-6735, a cross-site scripting (XSS) vulnerability in PHP-FPM due to improper URL sanitation; 3) CVE-2026-7262, a NULL pointer dereference in the SOAP apache:Map decoder when a <value> element is missing; and 4) CVE-2026-7568, a signed integer overflow in the metaphone() function. Red Hat has released updated php:8.3 packages that address these issues. The advisory applies to multiple architectures including x86_64, s390x, ppc64le, and aarch64. No CVSS scores are provided in the advisory, but the overall severity is rated as important by Red Hat.

Successful exploitation of these vulnerabilities could lead to denial of service (CVE-2026-7258), cross-site scripting attacks (CVE-2026-6735), application crashes due to NULL pointer dereference (CVE-2026-7262), and potential memory corruption from integer overflow (CVE-2026-7568). The XSS vulnerability could allow attackers to execute arbitrary scripts in the context of affected web applications using PHP-FPM. The denial of service and crash vulnerabilities could disrupt service availability. No known exploits in the wild have been reported.

Red Hat has released updated php:8.3 packages for Red Hat Enterprise Linux 9 that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:22142 and the referenced article https://access.redhat.com/articles/11258 to remediate these issues. Since this is a traditional software package, remediation requires applying the vendor-provided update. No additional vendor mitigation or 'no action required' statements are present.