CVE-2025-6491

Public on 2025-07-08

Modified on 2025-07-10

Description

If a SoapVar instance is created with a fully qualified name larger than 2G, this will cause a NULL pointer dereference resulting in a segmentation fault, leading to a denial of service.

Severity

Medium

See what this means

CVSS v3 Base Score

5.9

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Core	php			Pending Fix
Amazon Linux 2 - Php8.1 Extra	php	2025-08-04	ALAS2PHP8.1-2025-007	Fixed
Amazon Linux 2 - Php8.2 Extra	php	2025-08-04	ALAS2PHP8.2-2025-008	Fixed
Amazon Linux 2023	php8.1	2025-08-08	ALAS2023-2025-1087	Fixed
Amazon Linux 2023	php8.2	2025-08-08	ALAS2023-2025-1088	Fixed
Amazon Linux 2023	php8.3	2025-08-08	ALAS2023-2025-1114	Fixed
Amazon Linux 2023	php8.4	2025-08-08	ALAS2023-2025-1113	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv3	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-6491 Mitre: CVE-2025-6491