Skip to main content

PHP EUVD-2025-21276

| CVE-2025-6491 MEDIUM
NULL Pointer Dereference (CWE-476)
2025-07-13 security@php.net
PHP Null Pointer Dereference Denial Of Service Debian Red Hat Suse
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21276
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
PoC Detected
Nov 04, 2025 - 22:16 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 22:15 nvd
MEDIUM 5.9

DescriptionCVE.org

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Analysis

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Technical ContextAI

A NULL pointer dereference occurs when the application attempts to use a pointer that has not been initialized or has been set to NULL.

RemediationAI

Add NULL checks before pointer dereference operations. Use static analysis to identify potential NULL pointer issues. Enable compiler warnings.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Vendor StatusVendor

Debian

php7.4
Release Status Fixed Version Urgency
bullseye fixed 7.4.33-1+deb11u9 -
bullseye (security) fixed 7.4.33-1+deb11u10 -
(unstable) fixed (unfixed) -
php8.2
Release Status Fixed Version Urgency
bookworm fixed 8.2.29-1~deb12u1 -
bookworm (security) fixed 8.2.30-1~deb12u1 -
(unstable) fixed (unfixed) -
php8.4
Release Status Fixed Version Urgency
trixie fixed 8.4.11-1 -
trixie (security) fixed 8.4.16-1~deb13u1 -
forky, sid fixed 8.4.16-1 -
(unstable) fixed 8.4.10-1 -
DLA-4254-1 DSA-5967-1

SUSE

Severity: Medium
Product Status
SUSE Liberty Linux 8 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2025-21276 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy