[CLSA-2026:1779366149] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 14:42:34 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.6 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.6 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php56_5.6.40-123_amd64.deb
    sha:9e99a313d93dd3138007aed3138c420a77832e1d
  • alt-php56-bcmath_5.6.40-123_amd64.deb
    sha:872e41aec9ae9fa0a91d2df18e486d3701d7eceb
  • alt-php56-cli_5.6.40-123_amd64.deb
    sha:630fb093e6b42d35175e385822270dedf1d1570f
  • alt-php56-common_5.6.40-123_amd64.deb
    sha:fa19c67251e982072f70a069fa455117e1fb04a8
  • alt-php56-dba_5.6.40-123_amd64.deb
    sha:c585ad1d64f55f2dff85dcc800d4fcec933710c9
  • alt-php56-dbx_5.6.40-123_amd64.deb
    sha:b33448df2952549ba056da3590aa7c4b0fd6e354
  • alt-php56-dev_5.6.40-123_amd64.deb
    sha:8406cf8f6a7d0c21b1094f014035fa844624561d
  • alt-php56-enchant_5.6.40-123_amd64.deb
    sha:4e8ad03d3056a983ddedfd635c8a8ff3f7846d6b
  • alt-php56-firebird_5.6.40-123_amd64.deb
    sha:47fa16c11c6ad721536aea07d3966aa3d7ca9311
  • alt-php56-fpm_5.6.40-123_amd64.deb
    sha:cca4ca1238d701106c1a5b7d641092d1698e153b
  • alt-php56-gd_5.6.40-123_amd64.deb
    sha:38fa8456c0243db7f35545734e94335f62109182
  • alt-php56-imap_5.6.40-123_amd64.deb
    sha:4947f501d83602fcc06e3ed20dc4fa0555d9604f
  • alt-php56-intl_5.6.40-123_amd64.deb
    sha:1acf9846e7ab47c05c15e454d57266ec4cfb5313
  • alt-php56-ldap_5.6.40-123_amd64.deb
    sha:f99b57307c4621982aa71ca32a17ff90164f3423
  • alt-php56-mbstring_5.6.40-123_amd64.deb
    sha:c9964b6bd05912eece6ad9779216243ed1e0dcf9
  • alt-php56-mcrypt_5.6.40-123_amd64.deb
    sha:566f84bb59c50fd588a2012333d8a5603ebe5d3a
  • alt-php56-mysqlnd_5.6.40-123_amd64.deb
    sha:db2349fda16830f487b3a8e34995b8356e869748
  • alt-php56-odbc_5.6.40-123_amd64.deb
    sha:9ab816db3e13c88715aa91d31db5e24714fe16d1
  • alt-php56-opcache_5.6.40-123_amd64.deb
    sha:1efe5da18b35dad3985ea9a81014df47f7588447
  • alt-php56-pdo_5.6.40-123_amd64.deb
    sha:2eab8f6677337d27b37d6a7cbc6378214afe7c61
  • alt-php56-pgsql_5.6.40-123_amd64.deb
    sha:089fa769240f14adb0610668f07bf4719102b1c7
  • alt-php56-process_5.6.40-123_amd64.deb
    sha:a9114ab0ca2039347bb7dffa1d1668352af3f796
  • alt-php56-pspell_5.6.40-123_amd64.deb
    sha:fff10f8856af05529f39147f11ab2d7375ff70b5
  • alt-php56-recode_5.6.40-123_amd64.deb
    sha:10c06850c99b9ab6501dbf3d6feca547d1754ccd
  • alt-php56-snmp_5.6.40-123_amd64.deb
    sha:0e2ed0e67dc34cf8df9e59a780e42c81dd5c7abb
  • alt-php56-soap_5.6.40-123_amd64.deb
    sha:303eadec86411aade3b5a35386f537e41b9976d0
  • alt-php56-sybase_5.6.40-123_amd64.deb
    sha:3d3a1f482139a6cd3e79d9a18580316a93919869
  • alt-php56-tidy_5.6.40-123_amd64.deb
    sha:2990ed210eae3562ffe05e31aa7babba4857597d
  • alt-php56-xml_5.6.40-123_amd64.deb
    sha:9f5df1b29e29b20bc760234c955d5d825bf97140
  • alt-php56-xmlrpc_5.6.40-123_amd64.deb
    sha:d395113016e3814a8f8efdb5bd22d4d4c47f82d8
  • alt-php56_5.6.40-123_arm64.deb
    sha:2e094c66e0a520967b2ee9702d152539088e6822
  • alt-php56-bcmath_5.6.40-123_arm64.deb
    sha:e062f67b7fb0db89ae846acb58a6022ce3d6758c
  • alt-php56-cli_5.6.40-123_arm64.deb
    sha:c69abcc2014ce08950c8c5b2cbe58fe8a24c5137
  • alt-php56-common_5.6.40-123_arm64.deb
    sha:9a70eefa0cc206320321b6705730d5c77d041159
  • alt-php56-dba_5.6.40-123_arm64.deb
    sha:6f60aa5f2ebcf783729525af447f21920d87a648
  • alt-php56-dbx_5.6.40-123_arm64.deb
    sha:4a6bb419039e832a1c8ace64e7daf0e210d884a9
  • alt-php56-dev_5.6.40-123_arm64.deb
    sha:97b0bd8615a2c13b3af650df4b85ac5c508db8e3
  • alt-php56-enchant_5.6.40-123_arm64.deb
    sha:7ade0440158bb9376b2cd80594015db639157c33
  • alt-php56-firebird_5.6.40-123_arm64.deb
    sha:2a8cc70505d715e43e357f3359a2a297ddfa1f12
  • alt-php56-fpm_5.6.40-123_arm64.deb
    sha:643934ecf956d972ab820793a89b8a1d7e8e14d1
  • alt-php56-gd_5.6.40-123_arm64.deb
    sha:fae86cf7b14e09735542dee729260e758232a441
  • alt-php56-imap_5.6.40-123_arm64.deb
    sha:4d7d3159cecddf125fbb9add028208e01751f130
  • alt-php56-intl_5.6.40-123_arm64.deb
    sha:df217b002c50162417275fbe7040b14f9d830972
  • alt-php56-ldap_5.6.40-123_arm64.deb
    sha:ee27dcc1c60131f2ff477912855bed55b3a651fb
  • alt-php56-mbstring_5.6.40-123_arm64.deb
    sha:a8c78842f31929d40b80c084d92a8c650d45a764
  • alt-php56-mcrypt_5.6.40-123_arm64.deb
    sha:cc4a301c24cb7304ed19a5a2841e21622a968479
  • alt-php56-mysqlnd_5.6.40-123_arm64.deb
    sha:ec7a4e53a27a8bbd98fb658a0ee9e338543bf4a9
  • alt-php56-odbc_5.6.40-123_arm64.deb
    sha:38c5cf1a9185eaec0e1035d6f1ccf3c2efea13c0
  • alt-php56-opcache_5.6.40-123_arm64.deb
    sha:94607af057dc5a90459dcadb8d16cd98a201f43c
  • alt-php56-pdo_5.6.40-123_arm64.deb
    sha:1087331a882e978609aa424a277525db40835e3f
  • alt-php56-pgsql_5.6.40-123_arm64.deb
    sha:82ab056156656c1fb46c6f4708789b51592fc39b
  • alt-php56-process_5.6.40-123_arm64.deb
    sha:2cfc266c043911ae41948437dd72c3966713bb43
  • alt-php56-pspell_5.6.40-123_arm64.deb
    sha:c786563ef4db4002b67bf8bb70306fb8cee0c055
  • alt-php56-recode_5.6.40-123_arm64.deb
    sha:e12463a85ce3a1f14d70c7623d454794baeccc5a
  • alt-php56-snmp_5.6.40-123_arm64.deb
    sha:9a42321749675b24916c86f59fcd0a8f45322f39
  • alt-php56-soap_5.6.40-123_arm64.deb
    sha:d361ddd3796ebfa120b0d79953e1a801761d932d
  • alt-php56-sybase_5.6.40-123_arm64.deb
    sha:3ecca7fa818f778428fb5584a02824be738e687f
  • alt-php56-tidy_5.6.40-123_arm64.deb
    sha:1d7984b51386a1411b0b6a081d487a4e50afd637
  • alt-php56-xml_5.6.40-123_arm64.deb
    sha:fa250f1ccb424c20044d0b4330d4b2c5a88e6be6
  • alt-php56-xmlrpc_5.6.40-123_arm64.deb
    sha:b57bc766b592aded4bf26853184af3df5fa6b645
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.