PHP SOAP Extension Null Pointer Dereference Vulnerability via Oversized XML Namespace Prefix

A null pointer dereference vulnerability has been identified in the PHP SOAP extension, affecting PHP versions 8.1.* prior to 8.1.33, 8.2.* prior to 8.2.29, 8.3.* prior to 8.3.23, and 8.4.* prior to 8.4.10. The vulnerability arises when parsing XML data in SOAP, where excessively large XML namespace prefixes (over 2GB) can cause a null pointer dereference. This issue leads to segmentation faults, causing crashes that disrupt the availability of the server.

Impact

Exploitation of this vulnerability causes a segmentation fault, terminating the PHP process. This crash disrupts web applications that rely on SOAP functionality, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a SoapVar instance with a fully qualified name that exceeds 2GB in length. This can be achieved by using a namespace prefix sourced from an untrusted entity, such as a remote SOAP service. Once the SoapVar is created, it can be sent in a SOAP call using a SoapClient, which will trigger the vulnerability and cause the PHP process to crash.

Remediation

Users can upgrade to PHP versions 8.1.33, 8.2.29, 8.3.23, or 8.4.10 to address this vulnerability.