[CLSA-2026:1779364151] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 11:49:16 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.6 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.6 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php56_5.6.40-123_amd64.deb
    sha:ada53722c13198213a92f666e7c6628ad0777b6f
  • alt-php56-bcmath_5.6.40-123_amd64.deb
    sha:a1ee2505f2dba89c7f36c3b88ef677eb33e6278b
  • alt-php56-cli_5.6.40-123_amd64.deb
    sha:b87ee980cedda534d287a305e5132f30b08dd3af
  • alt-php56-common_5.6.40-123_amd64.deb
    sha:fb92ac190a261d55cda705877fe8b3e13237add7
  • alt-php56-dba_5.6.40-123_amd64.deb
    sha:6d9d6da2dc91d11125fcb61a52839f988996339e
  • alt-php56-dbx_5.6.40-123_amd64.deb
    sha:03ebb0fd562c21ed68a7ead2c611dd374abdc00b
  • alt-php56-dev_5.6.40-123_amd64.deb
    sha:cf13cdf16723c7f96ffc33705505a4b0b31308d3
  • alt-php56-enchant_5.6.40-123_amd64.deb
    sha:2313d89b073ab789f6ab18a18685a025f04d537f
  • alt-php56-firebird_5.6.40-123_amd64.deb
    sha:cbf7cf30c55b943dfdbd8fa7ee09561773d1839d
  • alt-php56-fpm_5.6.40-123_amd64.deb
    sha:dbbaa9a261dc806967dae01d65b9fc2aa092664a
  • alt-php56-gd_5.6.40-123_amd64.deb
    sha:fac75b2836877b4ceda1f7dbdc7746b92d6e8b18
  • alt-php56-imap_5.6.40-123_amd64.deb
    sha:c72c1f706dd1ac8af51adb262adf525be85392ce
  • alt-php56-intl_5.6.40-123_amd64.deb
    sha:ef4ab4f23b684bb450fc27360acff696b199fe6e
  • alt-php56-ldap_5.6.40-123_amd64.deb
    sha:be7142378f6c1d03acd45b72b364f2d965ed7124
  • alt-php56-mbstring_5.6.40-123_amd64.deb
    sha:dc2da2987f6dd47f7a5bb31cc8e6465ebb640340
  • alt-php56-mcrypt_5.6.40-123_amd64.deb
    sha:d0290c9da63834951f6905ce22740a0ebba6191b
  • alt-php56-mysqlnd_5.6.40-123_amd64.deb
    sha:42532315ed51f32b6ed71a3d5385cafe18b0a4d4
  • alt-php56-odbc_5.6.40-123_amd64.deb
    sha:7b1a9d246729e4af156c498a077e5e65acbdb8b2
  • alt-php56-opcache_5.6.40-123_amd64.deb
    sha:1a1602d43d787481ba0ef97acb0e6eaa8962c0fc
  • alt-php56-pdo_5.6.40-123_amd64.deb
    sha:c99592ea30fe6ba0e650749327f8fd7e17a5c64b
  • alt-php56-pgsql_5.6.40-123_amd64.deb
    sha:de683cbcd4093117c6b33aa27808746d365d3db5
  • alt-php56-process_5.6.40-123_amd64.deb
    sha:d126f5a8849183f71e59bd6f47b67b1856ac6f3a
  • alt-php56-pspell_5.6.40-123_amd64.deb
    sha:727fab85801a42c7b7248bc8fb1c3f41193529a1
  • alt-php56-recode_5.6.40-123_amd64.deb
    sha:50c149dfc782729860f211d4b856ac03d30c76ef
  • alt-php56-snmp_5.6.40-123_amd64.deb
    sha:abc83ab42eb742d182aaffabed414682b2db734e
  • alt-php56-soap_5.6.40-123_amd64.deb
    sha:b7127af9376eea2bdf53a2ad6380a8076cf65844
  • alt-php56-sybase_5.6.40-123_amd64.deb
    sha:ebd11332de6ab83bc31057036db0069284356454
  • alt-php56-tidy_5.6.40-123_amd64.deb
    sha:862ba9d81218e8fa74b320c52211282a53ada35a
  • alt-php56-xml_5.6.40-123_amd64.deb
    sha:10a7601b93cde16c9c95969608e81dc4b14f5862
  • alt-php56-xmlrpc_5.6.40-123_amd64.deb
    sha:2ff80a6435a499c78c4da661c3892f4b949c9386
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.