[CLSA-2026:1779371183] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262

Type:

security

Severity:

Critical

Release date:

2026-05-21 13:46:29 UTC

Description:

   * SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
     - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit
       aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
       to pre-PHP7 zval** SOAP API.
     - Note: the 5.6 backport applies the addref half of the upstream fix only;
       the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
       intentionally omitted because in 5.x ref_map is heterogeneous (stores
       both xmlNodePtr and zval* entries through the same API) and a
       ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
       closes the UAF; cost is one bounded zval leak per request, released
       with the emalloc pool at RSHUTDOWN.
     - CVE-2026-6722
   * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
     item missing  element
     - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit
       79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
       to_zval_map() (was checking xmlKey, should check xmlValue).
     - CVE-2026-7262
   * SECURITY UPDATE: soap extension use-after-free after header parsing
     failure with SOAP_PERSISTENCE_SESSION
     - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit
       db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
       sites in the header-handler failure paths with a
       persistance!=SOAP_PERSISTENCE_SESSION guard.
     - CVE-2026-7261
   * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri
     and query_string
     - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit
       99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus
       `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel
       escape block for request_uri.
     - Note: upstream (PHP 8.x) routes JSON status output through
       php_json_encode_string(), which is not exported on 5.x. The 5.6
       backport therefore applies the same HTML entity escape to both the
       HTML and JSON paths via the shared request_uri / query_string
       buffers. Consumers of `/status?json` will now see HTML-entity-encoded
       bytes in those fields (e.g. `&` instead of `&`); entities decode
       back to the original byte but JSON consumers must be prepared to
       handle them.
     - CVE-2026-6735

Updated packages:

alt-php56_5.6.40-123_amd64.deb
sha:1b307b84fdba3d87a686c04b8939a7dc4f385299
alt-php56-bcmath_5.6.40-123_amd64.deb
sha:f5099c2a881ed4176dee0a5721952597acfeff2b
alt-php56-cli_5.6.40-123_amd64.deb
sha:a91f34c7576bc94babcd8ac322410c96ddd22ec3
alt-php56-common_5.6.40-123_amd64.deb
sha:30b77734f0e656c8a41eb8a746c5df784b594988
alt-php56-dba_5.6.40-123_amd64.deb
sha:04ac203dca7568df251f3a1ec3a75911cbee79aa
alt-php56-dbx_5.6.40-123_amd64.deb
sha:2af5c70d35d7b990c7c7bbcf3ecb7196cec54312
alt-php56-dev_5.6.40-123_amd64.deb
sha:60f952438e44ddcc091fb13d94ebe821287e1da7
alt-php56-enchant_5.6.40-123_amd64.deb
sha:28663f442da90e3812ece7bd3a2d7f0970a7c809
alt-php56-firebird_5.6.40-123_amd64.deb
sha:162920a9dfd375806063b7116c89dc62b5e692bb
alt-php56-fpm_5.6.40-123_amd64.deb
sha:a658b506ad2226eee9a37b468f91b88f9eaca8b2
alt-php56-gd_5.6.40-123_amd64.deb
sha:59e9e72645789b7ccbc24b1643e6c6647934ea79
alt-php56-imap_5.6.40-123_amd64.deb
sha:0aaf37658261a4492bdcebae9211177c70629696
alt-php56-intl_5.6.40-123_amd64.deb
sha:46919858780d63587020ec3ed7671f12fb634ee1
alt-php56-ldap_5.6.40-123_amd64.deb
sha:26424146cda05dff4340e0df8d92b0e54fa17291
alt-php56-mbstring_5.6.40-123_amd64.deb
sha:0257f858da754108c69c1fd429fda5d5799e4b37
alt-php56-mcrypt_5.6.40-123_amd64.deb
sha:e4a21def4464874ddeae8eb16c8400fd0ca8dcbf
alt-php56-mysqlnd_5.6.40-123_amd64.deb
sha:6c8cd5062b57c256a70e91d2bd13caa13a546ad1
alt-php56-odbc_5.6.40-123_amd64.deb
sha:3383a1665e1538c57a2a69df528fc4747bde1e68
alt-php56-opcache_5.6.40-123_amd64.deb
sha:33e29621c6b804ebae7c5a1eb3f4caece7582b55
alt-php56-pdo_5.6.40-123_amd64.deb
sha:5e4f80cd1b4e1f12add131bc3af4d5194ba4122a
alt-php56-pgsql_5.6.40-123_amd64.deb
sha:9526466593b333b2ee49c6d8b3cc65f8a9c6b6e4
alt-php56-process_5.6.40-123_amd64.deb
sha:959e5035d05a781a485ecb6ac31fc52cfbe9102f
alt-php56-pspell_5.6.40-123_amd64.deb
sha:74e534fac23e78dc5bd50ecda1609754d97b8a5c
alt-php56-recode_5.6.40-123_amd64.deb
sha:d90e511ae7a11d1eb19909989ad346d9fdd9c997
alt-php56-snmp_5.6.40-123_amd64.deb
sha:110807556c6e3ac4fae8d858a9abff375ecaa6c2
alt-php56-soap_5.6.40-123_amd64.deb
sha:6bd21fb0eefd0a058a3cd2cfeb3bb033b081a59f
alt-php56-sybase_5.6.40-123_amd64.deb
sha:068b34a8d066cf6971649f32219ad14fa9b5555e
alt-php56-tidy_5.6.40-123_amd64.deb
sha:54f3729f1be8c44d876ae3c57c253db650b12f02
alt-php56-xml_5.6.40-123_amd64.deb
sha:b6b1f241dd86d4689a4da4a1f1d9c9c043199c6a
alt-php56-xmlrpc_5.6.40-123_amd64.deb
sha:5c12c0e9e5c656fe53273cf83b672ba46c58f4b8

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.