[CLSA-2026:1779293143] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-20 16:05:47 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.4-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.4 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.4-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.4-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.4-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.4 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php54_5.4.45-178_amd64.deb
    sha:2b2aaac01c6fadeda458668f8dcb4d12c2540975
  • alt-php54-bcmath_5.4.45-178_amd64.deb
    sha:07ba7cd90e1318673f7253338536883428b273eb
  • alt-php54-cli_5.4.45-178_amd64.deb
    sha:05cc0e6e583b363dd19be79338ecaf33d3883917
  • alt-php54-common_5.4.45-178_amd64.deb
    sha:8bef426f5c36dd245e2e0c474a4b3bca6414658f
  • alt-php54-dba_5.4.45-178_amd64.deb
    sha:669b84d5be924ebb6850d6c0bce94e651eaaad58
  • alt-php54-dbx_5.4.45-178_amd64.deb
    sha:a08df1c8b156a68cce03c245417b60aec84f69da
  • alt-php54-dev_5.4.45-178_amd64.deb
    sha:c90cc7d8b37b10ad9d76ab32d9682b036f5353a1
  • alt-php54-enchant_5.4.45-178_amd64.deb
    sha:5b6a490b7111c6576039d013c13ece0f636070e5
  • alt-php54-firebird_5.4.45-178_amd64.deb
    sha:735c8f51f64a4621ea4931a51783679c96eaa3fe
  • alt-php54-fpm_5.4.45-178_amd64.deb
    sha:39cab272bb64023ba5336cc904899a9bbdc65601
  • alt-php54-gd_5.4.45-178_amd64.deb
    sha:609087dc0ba13626a47d6816642b8b985c08721d
  • alt-php54-imap_5.4.45-178_amd64.deb
    sha:23cbdf4f44eea2ccfd420708f0f973d36764b78c
  • alt-php54-intl_5.4.45-178_amd64.deb
    sha:a18b854343f20453ea741b4534ab55f8e1a996c0
  • alt-php54-ldap_5.4.45-178_amd64.deb
    sha:0639425b3190e181b4f80065e3151d8cb9bfa36e
  • alt-php54-mbstring_5.4.45-178_amd64.deb
    sha:8a2f3b96a102670d338402c24ae5513d971ba359
  • alt-php54-mcrypt_5.4.45-178_amd64.deb
    sha:5a75ab4773b633dc739c1d1c764a76d7afbd6551
  • alt-php54-mssql_5.4.45-178_amd64.deb
    sha:dd52caa969e026cb4b86fe749c84fcd6f69cce59
  • alt-php54-mysqlnd_5.4.45-178_amd64.deb
    sha:8c40a6f214a7c97adf953cf2e8d02bace6eee8a3
  • alt-php54-odbc_5.4.45-178_amd64.deb
    sha:57aa4460e674334642a093baef46eaf574830d1b
  • alt-php54-pdo_5.4.45-178_amd64.deb
    sha:4bf39162b4ad5bb8a26c745051fcbb97056ba13a
  • alt-php54-pgsql_5.4.45-178_amd64.deb
    sha:bb5f6fb9086b69100b9f72848dd0dfb580313238
  • alt-php54-process_5.4.45-178_amd64.deb
    sha:d9de066c0682cf8d80b8b28310c0ad5ae6b0aacc
  • alt-php54-pspell_5.4.45-178_amd64.deb
    sha:c81db761d972ae225993f3b8b63cd16f924884f6
  • alt-php54-recode_5.4.45-178_amd64.deb
    sha:29e628d6d169f8bd80491b5a0c55b6aa7cc9b613
  • alt-php54-snmp_5.4.45-178_amd64.deb
    sha:721746ba5d8948f1b064bf037401e4d2943f2ce1
  • alt-php54-soap_5.4.45-178_amd64.deb
    sha:ce2343f3c036a5627e2064799b5d6415917b2320
  • alt-php54-sybase_5.4.45-178_amd64.deb
    sha:bd9c6689841ccd09f5e7ae865bd1d6a6e9079b49
  • alt-php54-tidy_5.4.45-178_amd64.deb
    sha:583bbb73f6b12b330c668e3fe034eab6314ae146
  • alt-php54-xml_5.4.45-178_amd64.deb
    sha:48892fa7a6bbca29b853143986acd68c8b1c4f00
  • alt-php54-xmlrpc_5.4.45-178_amd64.deb
    sha:2f8d07ab11335af8e53fe603d6fdbc4f9529a57e
  • alt-php54_5.4.45-178_arm64.deb
    sha:8a2eab6840fe6182e5b262c2183c619c4624f42a
  • alt-php54-bcmath_5.4.45-178_arm64.deb
    sha:db0831d6df1b8c134fbf5f6266ea829aa26a9318
  • alt-php54-cli_5.4.45-178_arm64.deb
    sha:58e872939794014a0c794b3534097a0eb93e1433
  • alt-php54-common_5.4.45-178_arm64.deb
    sha:f2803eb191e296d04413fc1158eae701007e4942
  • alt-php54-dba_5.4.45-178_arm64.deb
    sha:4ed2bd257ef455353df1e550ad1cbfab7686c510
  • alt-php54-dbx_5.4.45-178_arm64.deb
    sha:6409bbec5724777eb12099d26783e5834a01f1e1
  • alt-php54-dev_5.4.45-178_arm64.deb
    sha:7f52f2045704b8ec2503f73c41adf99cd898a8d7
  • alt-php54-enchant_5.4.45-178_arm64.deb
    sha:af0ebccdf9378037cc39312a80325a8817cad5f8
  • alt-php54-firebird_5.4.45-178_arm64.deb
    sha:106370f0b069b386f9b177ceca76eda00f61bbf9
  • alt-php54-fpm_5.4.45-178_arm64.deb
    sha:3a1d49144fb2f53fdb56141ed6a8fefd9fcf6c63
  • alt-php54-gd_5.4.45-178_arm64.deb
    sha:011def0c7b8a8b45977eb9d047bd30e4e9f2770a
  • alt-php54-imap_5.4.45-178_arm64.deb
    sha:1f19f429c7de3647ee4db192a0fbadd447d003d1
  • alt-php54-intl_5.4.45-178_arm64.deb
    sha:748da4974901b1221b91a4204ecb0a80f1950d9c
  • alt-php54-ldap_5.4.45-178_arm64.deb
    sha:bee1a3e1a44a99e31a5a30e70e21f8b134a9348f
  • alt-php54-mbstring_5.4.45-178_arm64.deb
    sha:ab510853b0051b082d101574c4c1cdf0d687acea
  • alt-php54-mcrypt_5.4.45-178_arm64.deb
    sha:b12e844d3ee037b702aac08b74fc00d8be90f2be
  • alt-php54-mssql_5.4.45-178_arm64.deb
    sha:475f51227f33c3fbee19cd6e59dc3aae9140f4e9
  • alt-php54-mysqlnd_5.4.45-178_arm64.deb
    sha:b0695fc7f28e39dfcd655a4ff8c695ed23edd0ed
  • alt-php54-odbc_5.4.45-178_arm64.deb
    sha:934324355bac70875e92b0ffbd9f574f16db3d5f
  • alt-php54-pdo_5.4.45-178_arm64.deb
    sha:c3063d5daae51d3b80ee6a2bc340822bc5532903
  • alt-php54-pgsql_5.4.45-178_arm64.deb
    sha:492c3acc806e416b93c06aef9e8b634abdfa388b
  • alt-php54-process_5.4.45-178_arm64.deb
    sha:c4b8b4b2d3b2c3003b28b69963e61ddfef5ba22f
  • alt-php54-pspell_5.4.45-178_arm64.deb
    sha:aaaff3ac56ec4904a83599a7fb58c3db3ff3be78
  • alt-php54-recode_5.4.45-178_arm64.deb
    sha:f6abbe6b2f991fc6f9389dba6aa6a7ed481da5ff
  • alt-php54-snmp_5.4.45-178_arm64.deb
    sha:f88c2eb82c0bb8a2ebe993019eaf42d6edd9c682
  • alt-php54-soap_5.4.45-178_arm64.deb
    sha:062793473d736a87b93cd3d6ae6c647d7bfe2f23
  • alt-php54-sybase_5.4.45-178_arm64.deb
    sha:241e761c9781f79ab3bfcebb67037914d7731c8c
  • alt-php54-tidy_5.4.45-178_arm64.deb
    sha:e7cfa79d6b440e6694035513419298cbffd126f7
  • alt-php54-xml_5.4.45-178_arm64.deb
    sha:b0406dfdd019380180c776dbe33f3b34ae2a4349
  • alt-php54-xmlrpc_5.4.45-178_arm64.deb
    sha:ac6b990cedce1fde999e71a30ba8d89cc543bb51
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.