DoS attack via DOMNode::C14N()

Kurzinfo

Veroeffentlicht: 2026-05-07 12:54 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: 199231dc1f6bb64d2e8e1c3fbf47c12bce1740489aabb6b67922a7ae617267c8

PHP Security (php/php-src GHSA)

Inhalt

Researcher: Nikita Sveshnikov (Positive Technologies)

In DOMNode::C14N(), improper removal of a xmlns libxml2 attribute from a doubly linked list can lead to a corrupt, circular linked list. The linked list is iterated in many places in PHP and libxml2, leading to DoS through segfaults, or temporal and spatial resource starvation.

$doc = Dom\HTMLDocument::createFromString(' ');
$doc->C14N();
// Segfault on cleanup

// Or

$doc = Dom\HTMLDocument::createFromString(' ');
$doc->C14N();
$svg = $doc->documentElement->childNodes[1]->childNodes[0];
foreach ($svg->attributes as $prop) {} // This will loop forever

The attribute is removed incorrectly here:

https://github.com/php/php-src/blob/f0f28b763c8696511c3b80fb8b25ae8765b2d94b/ext/dom/node.c#L2134-L2141

Notice the attr->prev = attr->next; instead of attr->prev->next = attr->next;. The attribute is later (correctly) restored here:

https://github.com/php/php-src/blob/f0f28b763c8696511c3b80fb8b25ae8765b2d94b/ext/dom/node.c#L2182-L2189

After both procedures, the following graph:

flowchart TD
    A -- "Next" --> xmlns
    xmlns -- "Prev" --> A
    xmlns -- "Next" --> B
    B -- "Prev" --> xmlns

Would result in this graph:

flowchart TD
    A -- "Next" --> xmlns
    xmlns -- "Prev" --> B
    xmlns -- "Next" --> B
    B -- "Prev" --> xmlns
    B -- "Next" --> xmlns

Continuously following next will result in an infinite loop.

Verknuepfte CVEs

CVE-ID	Severity (CVE.org)	CVSS (CVE.org)	EPSS	EPSS-%	Veroeffentlicht (CVE.org)
CVE-2026-7263	-	-	-	-

Quellen-Details

Bezeichnung	Name	Kategorie	Tags	Zielgruppe	Sprache	Feed-URL
PHP Security (php/php-src GHSA)	php_sec	vendor_advisory	php, runtime	-	de	https://github.com/php/php-src/security/advisories

Zurueck zur Eintrags-Liste