[CLSA-2026:1779370354] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 13:32:41 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.6 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.6 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php56_5.6.40-123_amd64.deb
    sha:ada53722c13198213a92f666e7c6628ad0777b6f
  • alt-php56-bcmath_5.6.40-123_amd64.deb
    sha:c53a2ba687b5ca70fc2cb6e832c03db50a2fe370
  • alt-php56-cli_5.6.40-123_amd64.deb
    sha:df6ba965a97b77a41ea533fadeaa01e6c2b900cc
  • alt-php56-common_5.6.40-123_amd64.deb
    sha:13230619c535cc442e8fbc9db335282e40975cf7
  • alt-php56-dba_5.6.40-123_amd64.deb
    sha:6ffe7dc6c5fcd3541ecc65303f3f2fc40773d553
  • alt-php56-dbx_5.6.40-123_amd64.deb
    sha:039eca586f0626fdd9ea1271f83580ead112bcdb
  • alt-php56-dev_5.6.40-123_amd64.deb
    sha:50f43c9105f12498703b6f316574cd8439361ab9
  • alt-php56-enchant_5.6.40-123_amd64.deb
    sha:26df8be09d2375a1a681bb23ead4ed332759503c
  • alt-php56-firebird_5.6.40-123_amd64.deb
    sha:d1ca34a738e1ec93677434ffbb6315c012e84f56
  • alt-php56-fpm_5.6.40-123_amd64.deb
    sha:74f9534782b239ca8c3177f068fcbad86ac113ac
  • alt-php56-gd_5.6.40-123_amd64.deb
    sha:ecf0104f0f9943a040947e646901cd24c49628b0
  • alt-php56-imap_5.6.40-123_amd64.deb
    sha:9f0b0ae3d9d91c2be219b06292570b754d00ef46
  • alt-php56-intl_5.6.40-123_amd64.deb
    sha:a75af51633a7e832afb92ea967bb715a03d5a3d7
  • alt-php56-ldap_5.6.40-123_amd64.deb
    sha:c958ac38cb97b705dc7c79dc211fbdcd655016d7
  • alt-php56-mbstring_5.6.40-123_amd64.deb
    sha:247422d336968f9dec1ee26fcdce3ebf91a16d1b
  • alt-php56-mcrypt_5.6.40-123_amd64.deb
    sha:801c09fa8dccaa3b372d96f01b9d64849a5e1e5a
  • alt-php56-mysqlnd_5.6.40-123_amd64.deb
    sha:7c17055702687d131f8e321074d624c07527fbb5
  • alt-php56-odbc_5.6.40-123_amd64.deb
    sha:0dc1b8368101a474c3b638d36827b3e795215adf
  • alt-php56-opcache_5.6.40-123_amd64.deb
    sha:9c29750efa07948f73da2c7d0759e54dc5835f2e
  • alt-php56-pdo_5.6.40-123_amd64.deb
    sha:7664a2fd6b7dd6f94b0a32ac42fc1886b06bee28
  • alt-php56-pgsql_5.6.40-123_amd64.deb
    sha:11fc3cc31d7f095f43c4e58f344febcb5a82362e
  • alt-php56-process_5.6.40-123_amd64.deb
    sha:0cefd72e2c4d64a47163dcd895ed24e5b62a9183
  • alt-php56-pspell_5.6.40-123_amd64.deb
    sha:169ae1455cb78fd41bb02ba693ff07f124a8bed4
  • alt-php56-recode_5.6.40-123_amd64.deb
    sha:78ee9a965017520cf5990d1adf778f0061532516
  • alt-php56-snmp_5.6.40-123_amd64.deb
    sha:eddcd5fdaa34e48f329f2d88597b813b72d0f9af
  • alt-php56-soap_5.6.40-123_amd64.deb
    sha:ca01129c76f99e4353b1242f0778f1f39e64834e
  • alt-php56-sybase_5.6.40-123_amd64.deb
    sha:b8da5c20e98fbe4f47ba23f1088baf86c1c7bf31
  • alt-php56-tidy_5.6.40-123_amd64.deb
    sha:09ef7d1ebd2e649ea411d8d865cfec1553c7b20c
  • alt-php56-xml_5.6.40-123_amd64.deb
    sha:d307df2ed20542760614e80c60fd0ca5a2bc793c
  • alt-php56-xmlrpc_5.6.40-123_amd64.deb
    sha:819333953ef8aed3354b9ed435bd7b20ae0c1894
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.