- What: Security update for PHP with DoS vulnerability
- Impact: Systems using PHP may be vulnerable to denial of service attacks
Red Hat Product Errata RHSA-2026:23388 - Security Advisory Issued: 2026-06-04 Updated: 2026-06-04 RHSA-2026:23388 - Security Advisory Overview Updated Packages Synopsis Important: php security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for php is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es): PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions (CVE-2026-7258) PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation (CVE-2026-6735) php: NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() (CVE-2026-7259) php: NULL pointer dereference in SOAP apache:Map decoder with missing <value> (CVE-2026-7262) php: signed integer overflow in metaphone() (CVE-2026-7568) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2468561 - CVE-2026-7258 PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions BZ - 2468562 - CVE-2026-6735 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation BZ - 2468564 - CVE-2026-7259 php: NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() BZ - 2468565 - CVE-2026-7262 php: NULL pointer dereference in SOAP apache:Map decoder with missing <value> BZ - 2468566 - CVE-2026-7568 php: signed integer overflow in metaphone() RHEL-119865 - PHP-FPM fails with image mode CVEs CVE-2026-6735 CVE-2026-7258 CVE-2026-7259 CVE-2026-7262 CVE-2026-7568 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM php-8.3.31-1.el10_2.src.rpm SHA-256: c36f9c8b23f49beb8477ad7d821eb928f4555a7445b910cf4ee9fb56ae93e0a0 x86_64 php-8.3.31-1.el10_2.x86_64.rpm SHA-256: 51406b52404913e946b98c65593c6139caf6c0938e33a056a539daaa966423f5 php-bcmath-8.3.31-1.el10_2.x86_64.rpm SHA-256: 97fb76905cfdddbf1a54290868c9340118e707fc0c0bba4146d0da56997c2726 php-bcmath-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 7c86eac3ababb2dfb88e5e710eb046e62fc349e41a02f8db4b58424087de09b2 php-cli-8.3.31-1.el10_2.x86_64.rpm SHA-256: 6e3fac2d20c30c6e5903661917ce01baf3e7b893446f58323191b01eaf4fb9df php-cli-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 186ea2f78789d856d9fc01d6b328af9264a158ad39a42dcc5857820988495a01 php-common-8.3.31-1.el10_2.x86_64.rpm SHA-256: 0530c1a959da6cca60ae7e83dc852893ff94fdff778aac5e17be158dafc27de8 php-common-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 73b45f2353aaec52f531bab37f64222a57c9cc30dddf1360c4c08024eb9d729e php-dba-8.3.31-1.el10_2.x86_64.rpm SHA-256: c3c1ef549ed7cd1d838f576e85e7e0d4c3c8e18181a638d61bc752d9a41f637d php-dba-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: ddc546f94fb2d48e842edc6748db3b6d52ac1139634f2f81b3451baadd2e8932 php-dbg-8.3.31-1.el10_2.x86_64.rpm SHA-256: 17ed910d0dc83b945c3e158dea323dc4ba45b23735a8e0f58b775645c47a0873 php-dbg-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 44a66f9792408f00045e0c52364477e725653441b61a5a5bffdf7b041e049000 php-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: fa7ae1f392b84d451cfe1c76fd78b61f82faf1e6b91461902476b36e6f3e0889 php-debugsource-8.3.31-1.el10_2.x86_64.rpm SHA-256: 78920707f3d84d123047c3ea5aa5918547c88f20a8296ef3c29e4f4aa224cfe5 php-devel-8.3.31-1.el10_2.x86_64.rpm SHA-256: 290f6476ccf7c01c5925fa06554fb8bf6ead36c88437369d4c0a684afed3f053 php-embedded-8.3.31-1.el10_2.x86_64.rpm SHA-256: cb23c04ed70571f614328937d48091da39cd641d5d0caab9ed55ad2b27ce6e90 php-embedded-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 9f83f7aeb4365863b171c153443bc12bfb75386d60363c8def3b5f5ef41f6e1e php-enchant-8.3.31-1.el10_2.x86_64.rpm SHA-256: c0befa8526017b97e6d468589d854edf3a4405ffcbabdcfd69aa673c3958f3d0 php-enchant-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 162edce57db5e9d88d31b322bc6c7171a1738a6197568fda4aa4aef27bb47133 php-ffi-8.3.31-1.el10_2.x86_64.rpm SHA-256: 43bdbf674e523b1c882b38c08f18adccef6f7340df8347bde47ef74a164e868f php-ffi-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 81ff312534e4c6f08c5165e2ef1a2b83ef4e8b3a0a8872cfd90cea8930844005 php-fpm-8.3.31-1.el10_2.x86_64.rpm SHA-256: 55b44a638c143455745b9b8787e75a791b3da1448281cd0a3748df7a12e5c0a8 php-fpm-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 7b70b6cd8d035fdbdfc600f17e78376104dbeb39700229a392382405609cc3a6 php-gd-8.3.31-1.el10_2.x86_64.rpm SHA-256: 68c1f422a5add598f0c4f1aa15172c98b3fe5cb19447b7308dd4a82c01c66b37 php-gd-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 26cf6d1740fde727248f1c0b4abc3033c66ed0b1b1251992436c53f0a8ca8a54 php-gmp-8.3.31-1.el10_2.x86_64.rpm SHA-256: 5b7a7fa79e6ff057e5e4d2a687fb4e6b29cd6a45ce712d020fab22e797232bfb php-gmp-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 0c1dc619ccc9920e34e075a969cfe08c58cbfd8105c681b7a47c0459bfb98df0 php-intl-8.3.31-1.el10_2.x86_64.rpm SHA-256: 86f38d2e36c34abbff8e9343e6510f7d7bb29365915ebed3fb9d9b1196fdc7ee php-intl-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 46b9db105718affcc844ac5683a53e58c8dbb939c30d680349b29bd8a8676646 php-ldap-8.3.31-1.el10_2.x86_64.rpm SHA-256: 89cc8c430efec947aae054b4ace30dec635146b8e8bda9b93531f369b3e5e0be php-ldap-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: e36b96fe8bbadb286d83058b742c066e0b04c2d7900d00dcf1b30d8f1a0fbd59 php-mbstring-8.3.31-1.el10_2.x86_64.rpm SHA-256: 7190df60768b08d7a50e7b919cdc6c0d4a3ca1d3740e0ebb38a2e4e543d5c15b php-mbstring-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: e2b0ab5ccf43699a8ddf910ae1d1a275f022da34a3fd0c96be918353450a07a6 php-mysqlnd-8.3.31-1.el10_2.x86_64.rpm SHA-256: 7aaa8810737cffa7d68b4acaadf62a3680b518e9170ac98a737d748476d47a53 php-mysqlnd-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: e4c8e5451db93336d127cdcbe6c311704382634c3d7d4912cbfed4b3696428f5 php-odbc-8.3.31-1.el10_2.x86_64.rpm SHA-256: babb5ce40cc3ab0f793b801a615c14d0b8a8eaf4dc6014deabc8c9d0acc7f4e8 php-odbc-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 070050144d207c6603ccc4201fc7318a8e4671a6137a2da27562b3531d85a5cd php-opcache-8.3.31-1.el10_2.x86_64.rpm SHA-256: 624db96d69a4262ef515f5cb775c4cc1208ded6f2ae4cd17172de1b0aabd97b7 php-opcache-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 1ae914cfda87c793df0078565057b92cac5e8274604b18e5072da09372965f0b php-pdo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 1118001710964df702ecae4486710c68f9623e38ec3421d6a0644437fffc0e69 php-pdo-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 3f7dd9dea3dafdb91488adf00dc571613aed7f1bc133349ec790ed6a0c09a734 php-pgsql-8.3.31-1.el10_2.x86_64.rpm SHA-256: fe543dfdfda24eafe59c0def165df3e506db53dfc21097a718a3f8bbe3bafec1 php-pgsql-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: b106ecdfc364c52b6148d16f5025adfd49428190671a7339072643fe791fff2e php-process-8.3.31-1.el10_2.x86_64.rpm SHA-256: a5ac97468a7cce323d16579599b7b76f7a873372b8d0087ef1627a4cab1e0e3f php-process-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 6904583961b9a9b501d5ea9088086cec69960f327b22a21d31a858466b47deaf php-snmp-8.3.31-1.el10_2.x86_64.rpm SHA-256: 2a03fcc7c41fddcf5d5bb865492eb064af6ff1edb5c1c6605a1692810328eb54 php-snmp-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 4315cfa7ce82d4f38e64359a656395c9f519bb13dffb7984d732db9dde4be5fe php-soap-8.3.31-1.el10_2.x86_64.rpm SHA-256: 7ff680fb9119d7aab17a0c3351f78664d2987cbde5dcb26f121cd403ed4cad63 php-soap-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: deea2392cf8a5465daafcec5d75474bb5032c306d94098ab30e49816f5304fce php-xml-8.3.31-1.el10_2.x86_64.rpm SHA-256: 4e065a4f425b51ad3d17f024bec920aeb4cec5201f09d94caf219f798785a2a3 php-xml-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 6d17b5786543bbc148699185913e6e736f4209ea72bed891299868f7e27dec87 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM php-8.3.31-1.el10_2.src.rpm SHA-256: c36f9c8b23f49beb8477ad7d821eb928f4555a7445b910cf4ee9fb56ae93e0a0 x86_64 php-8.3.31-1.el10_2.x86_64.rpm SHA-256: 51406b52404913e946b98c65593c6139caf6c0938e33a056a539daaa966423f5 php-bcmath-8.3.31-1.el10_2.x86_64.rpm SHA-256: 97fb76905cfdddbf1a54290868c9340118e707fc0c0bba4146d0da56997c2726 php-bcmath-debuginfo-8.3.31-1.el10_2.x86_64.rpm SHA-256: 7c86eac3ababb2dfb88e5e710e