CVE-2026-7263 PUBLISHED

DoS attack via DOMNode::C14N()

Assigner: php
Reserved: 28.04.2026 Published: 10.05.2026 Updated: 10.05.2026

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber
CVSS Score: 6.3

Product Status

Vendor PHP Group
Product PHP
Versions Default: unaffected
  • affected from 8.4.* to 8.4.21 (excl.)
  • affected from 8.5.* to 8.5.6 (excl.)

Credits

  • Nikita Sveshnikov (Positive Technologies) finder
  • Ilija Tovilo remediation reviewer

References

Problem Types

  • CWE-404 Improper Resource Shutdown or Release CWE
  • CWE-835 Loop with unreachable exit condition ('infinite loop') CWE