to_zval_map() in ext/soap/php_encoding.c decodes apache:Map nodes. The branch correctly guards against missing keys, but the branch rechecks xmlKey instead of xmlValue:
In addition, master_to_zval_int() accesses data->properties without a NULL check, where data corresponds to the missing node. This branch is reachable when SOAP_GLOBAL(typemap) is set, i.e. when the SOAP server has a typemap configured. By embedding an apache:Map node with a missing node into the request, the process will segfault with a NULL pointer dereference violation. Under the described circumstances, DoS becomes trivial with the following example:
$request = << foo XML;
$server = new SoapServer(null, [
'uri' => 'urn:test',
'typemap' => [['type_name' => 'anything']],
]);
$server->addFunction('test');
function test($m) {}
$server->handle($request);