PHP 8.4/8.5 (before 8.4.21/8.5.6) DOMNode::C14N() DoS via infinite loop
CVE-2026-7263 Published on May 10, 2026
DoS attack via DOMNode::C14N()
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Weakness Types
Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
What is an Infinite Loop Vulnerability?
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.
CVE-2026-7263 has been classified to as an Infinite Loop vulnerability or weakness.
Products Associated with CVE-2026-7263
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
PHP Group PHP:- Version 8.4.* and below 8.4.21 is affected.
- Version 8.5.* and below 8.5.6 is affected.