CVE-2026-7263 Overview
CVE-2026-7263 is a denial of service vulnerability in PHP affecting the DOMNode::C14N() method. The flaw exists in PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6. When processing certain XML data, the method incorrectly constructs the internal data structure representing the XML document, producing a circular linked list. Subsequent processing of the affected document enters an infinite loop, exhausting CPU resources in the processing application. The issue is tracked under [CWE-404] (Improper Resource Shutdown or Release) and was published to the National Vulnerability Database (NVD) on 2026-05-10.
Critical Impact
Attackers can submit crafted XML to applications using DOMNode::C14N(), triggering an infinite loop that causes denial of service.
Affected Products
- PHP 8.4.x prior to 8.4.21
- PHP 8.5.x prior to 8.5.6
- Applications using DOMNode::C14N() for XML canonicalization
Discovery Timeline
- 2026-05-10 - CVE-2026-7263 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7263
Vulnerability Analysis
The vulnerability resides in PHP's DOM extension, specifically in the DOMNode::C14N() method used for XML canonicalization. C14N (Canonical XML) is the standardized serialization format used for XML signatures and other integrity-sensitive operations. When the method processes certain XML inputs, the internal representation of the document is built incorrectly. The result is a circular linked list inside the DOM node structure.
Once the structure is corrupted, any subsequent traversal of the document follows the circular reference indefinitely. The processing thread enters an infinite loop and consumes CPU cycles until terminated. Applications running under PHP-FPM or similar worker pools can exhaust their workers, leading to full service unavailability. The vulnerability requires no authentication and can be triggered remotely if the application accepts external XML input.
Root Cause
The root cause is improper handling of XML node relationships during canonicalization. The DOMNode::C14N() implementation fails to maintain a valid acyclic structure when building the canonical representation, producing self-referential links that violate the expected tree topology of a DOM document.
Attack Vector
An unauthenticated remote attacker submits a specially crafted XML document to any endpoint that calls DOMNode::C14N() on attacker-controlled input. Common targets include SAML processors, XML signature validators, RSS/Atom parsers, and SOAP services. After processing, any code that walks the document traversal triggers the infinite loop.
// Vulnerability mechanism (conceptual)
// 1. Attacker submits crafted XML payload to PHP application
// 2. Application calls $dom->C14N() on the input
// 3. DOM internal structure built with circular linked list
// 4. Subsequent traversal enters infinite loop
// 5. PHP worker process consumes 100% CPU until killed
// See vendor advisory for technical details.
Detection Methods for CVE-2026-7263
Indicators of Compromise
- PHP-FPM or Apache worker processes consuming sustained 100% CPU after handling XML requests
- Request timeouts and HTTP 502/504 errors from endpoints that accept XML input
- Increased process kills by max_execution_time limits or supervisor processes
- Unexpected accumulation of long-running PHP processes tied to XML parsing endpoints
Detection Strategies
- Inventory all PHP applications and confirm version against 8.4.21 and 8.5.6 baselines using php -v
- Audit application source for calls to DOMNode::C14N(), DOMDocument::C14N(), and related canonicalization APIs
- Correlate XML upload or POST events with subsequent CPU spikes in process telemetry
- Monitor web server logs for repeated requests to XML-handling endpoints from a single source
Monitoring Recommendations
- Alert when PHP worker processes exceed CPU thresholds for sustained intervals
- Track PHP version distribution across the fleet to identify unpatched hosts
- Log and review XML payload sizes and parse durations at application boundaries
How to Mitigate CVE-2026-7263
Immediate Actions Required
- Upgrade PHP to version 8.4.21 or 8.5.6 or later on all affected systems
- Identify and prioritize public-facing applications that process untrusted XML
- Enforce strict max_execution_time limits on PHP-FPM pools to bound worst-case CPU consumption
- Restrict request size and rate on endpoints that invoke XML canonicalization
Patch Information
The PHP project addressed the issue in PHP 8.4.21 and 8.5.6. Full details are available in the PHP Security Advisory GHSA-4jhr-8w89-j733. Administrators should apply distribution packages as soon as they become available or build from the patched upstream sources.
Workarounds
- Disable or remove code paths that call DOMNode::C14N() on untrusted XML until patching is complete
- Validate and schema-check XML input before passing it to DOM canonicalization
- Place a reverse proxy or WAF in front of XML endpoints to enforce timeouts and payload limits
# Verify installed PHP version and plan upgrade
php -v
# Example: upgrade on Debian/Ubuntu once packages are available
sudo apt update
sudo apt install --only-upgrade php8.4 php8.4-xml
# Tighten PHP-FPM execution limits as defense-in-depth
# /etc/php/8.4/fpm/php.ini
# max_execution_time = 15
# memory_limit = 128M
sudo systemctl restart php8.4-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
