CVE Vulnerabilities

CVE-2025-6491

NULL Pointer Dereference

Published: Jul 13, 2025 | Modified: Jul 22, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Weakness

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Affected Software

Name Vendor Start Version End Version
Php Php 8.1.0 (including) 8.1.33 (excluding)
Php Php 8.2.0 (including) 8.2.29 (excluding)
Php Php 8.3.0 (including) 8.3.23 (excluding)
Php Php 8.4.0 (including) 8.4.10 (excluding)
Php8.1 Ubuntu jammy *
Php8.1 Ubuntu upstream *
Php8.3 Ubuntu noble *
Php8.3 Ubuntu oracular *
Php8.3 Ubuntu upstream *
Php8.4 Ubuntu devel *
Php8.4 Ubuntu plucky *
Php8.4 Ubuntu upstream *

Potential Mitigations

References