Red Hat Security Advisory: php8.4 security update
PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. Security Fix(es): * PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions (CVE-2026-7258) * PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation (CVE-2026-6735) * php: NULL pointer dereference in SOAP apache:Map decoder with missing <value> (CVE-2026-7262) * php: signed integer overflow in metaphone() (CVE-2026-7568) * php: denial of service via DOMNode::C14N() (CVE-2026-7263) * php: global buffer over-read in mb_convert_encoding() with attacker-supplied encoding (CVE-2026-6104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
AI Analysis
Technical Summary
Red Hat Product Security released an important security update for php8.4 on Red Hat Enterprise Linux 10 addressing six vulnerabilities: CVE-2026-7258 (denial of service via improper handling of signed characters in ctype functions), CVE-2026-6735 (cross-site scripting in PHP-FPM due to improper URL sanitation), CVE-2026-7262 (null pointer dereference in SOAP apache:Map decoder), CVE-2026-7568 (signed integer overflow in metaphone()), CVE-2026-7263 (denial of service via DOMNode::C14N()), and CVE-2026-6104 (global buffer over-read in mb_convert_encoding() with attacker-supplied encoding). The advisory includes updated packages for multiple architectures and Red Hat Enterprise Linux variants. No CVSS scores are provided in the advisory, but the update is rated as important.
Potential Impact
The vulnerabilities collectively could allow denial of service conditions, cross-site scripting attacks, null pointer dereferences, and memory corruption issues in PHP environments running php8.4 on affected Red Hat Enterprise Linux 10 systems. These issues could impact the stability and security of web applications relying on PHP, potentially leading to service disruption or exploitation of cross-site scripting flaws. No known exploits in the wild have been reported at the time of the advisory.
Mitigation Recommendations
Red Hat has released updated php8.4 packages that address these vulnerabilities. Users of Red Hat Enterprise Linux 10 should apply the security update as soon as possible by following the instructions in the Red Hat advisory RHSA-2026:22649 (https://access.redhat.com/errata/RHSA-2026:22649). This update includes fixes for all listed CVEs. No additional mitigation steps are indicated beyond applying the official patch.
Red Hat Security Advisory: php8.4 security update
Description
PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. Security Fix(es): * PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions (CVE-2026-7258) * PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation (CVE-2026-6735) * php: NULL pointer dereference in SOAP apache:Map decoder with missing <value> (CVE-2026-7262) * php: signed integer overflow in metaphone() (CVE-2026-7568) * php: denial of service via DOMNode::C14N() (CVE-2026-7263) * php: global buffer over-read in mb_convert_encoding() with attacker-supplied encoding (CVE-2026-6104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Red Hat Product Security released an important security update for php8.4 on Red Hat Enterprise Linux 10 addressing six vulnerabilities: CVE-2026-7258 (denial of service via improper handling of signed characters in ctype functions), CVE-2026-6735 (cross-site scripting in PHP-FPM due to improper URL sanitation), CVE-2026-7262 (null pointer dereference in SOAP apache:Map decoder), CVE-2026-7568 (signed integer overflow in metaphone()), CVE-2026-7263 (denial of service via DOMNode::C14N()), and CVE-2026-6104 (global buffer over-read in mb_convert_encoding() with attacker-supplied encoding). The advisory includes updated packages for multiple architectures and Red Hat Enterprise Linux variants. No CVSS scores are provided in the advisory, but the update is rated as important.
Potential Impact
The vulnerabilities collectively could allow denial of service conditions, cross-site scripting attacks, null pointer dereferences, and memory corruption issues in PHP environments running php8.4 on affected Red Hat Enterprise Linux 10 systems. These issues could impact the stability and security of web applications relying on PHP, potentially leading to service disruption or exploitation of cross-site scripting flaws. No known exploits in the wild have been reported at the time of the advisory.
Mitigation Recommendations
Red Hat has released updated php8.4 packages that address these vulnerabilities. Users of Red Hat Enterprise Linux 10 should apply the security update as soon as possible by following the instructions in the Red Hat advisory RHSA-2026:22649 (https://access.redhat.com/errata/RHSA-2026:22649). This update includes fixes for all listed CVEs. No additional mitigation steps are indicated beyond applying the official patch.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:22649
- Cve Count
- 6
- Additional Cves
- ["CVE-2026-6735","CVE-2026-7258","CVE-2026-7262","CVE-2026-7263","CVE-2026-7568"]
- Cvss Version
- null
Threat ID: 6a20982ee29bf47b50ebdc91
Added to database: 6/3/2026, 9:10:06 PM
Last enriched: 6/3/2026, 9:12:48 PM
Last updated: 6/4/2026, 5:00:13 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.