[CLSA-2026:1779370097] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 13:28:23 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.6 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.6 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php56_5.6.40-123_amd64.deb
    sha:ada53722c13198213a92f666e7c6628ad0777b6f
  • alt-php56-bcmath_5.6.40-123_amd64.deb
    sha:60bb20799a9beab81e50297e20c786937193bbc1
  • alt-php56-cli_5.6.40-123_amd64.deb
    sha:d3ea87b61dec41939121e4ac10090eb140e4fe74
  • alt-php56-common_5.6.40-123_amd64.deb
    sha:b660ee67cf67bd04faba4c271263120fb67247ee
  • alt-php56-dba_5.6.40-123_amd64.deb
    sha:d1fa850412371ee8dc85cd8cc862247935b879eb
  • alt-php56-dbx_5.6.40-123_amd64.deb
    sha:cc45be451044b8f0b9f00c86799cda5081becdae
  • alt-php56-dev_5.6.40-123_amd64.deb
    sha:1a6e75091549a5c0b1ef3cbae850ca9a316dbe3f
  • alt-php56-enchant_5.6.40-123_amd64.deb
    sha:a900519f171419198853ef20c1a80a156a3b3127
  • alt-php56-firebird_5.6.40-123_amd64.deb
    sha:0cf152391883ecc391f898979f42cb01a6c21c29
  • alt-php56-fpm_5.6.40-123_amd64.deb
    sha:a5944e2e8d8fec81f3d47abede5c08b8117d1ecd
  • alt-php56-gd_5.6.40-123_amd64.deb
    sha:3980cf0663fbc42853db3325fffc913794d487fa
  • alt-php56-imap_5.6.40-123_amd64.deb
    sha:b78570bb5121270b08ed8cb1047e6f45b975a232
  • alt-php56-intl_5.6.40-123_amd64.deb
    sha:e8925d11a347f64c8b8a0bd3ee345430b7883ef6
  • alt-php56-ldap_5.6.40-123_amd64.deb
    sha:d7bc9dfeb6645bc13aba23b4ce873f0c9bfaff8e
  • alt-php56-mbstring_5.6.40-123_amd64.deb
    sha:a82c082bad3fe58b2531cdaa2cd0397d73bfc81b
  • alt-php56-mcrypt_5.6.40-123_amd64.deb
    sha:c6b7ac20ae10745f041ad65f2b47bc0313ec0e70
  • alt-php56-mysqlnd_5.6.40-123_amd64.deb
    sha:797e25c7e2a29876feafeb36372aa1217de46350
  • alt-php56-odbc_5.6.40-123_amd64.deb
    sha:a46d6320fa07f862212d2fbbae7b0ac138985116
  • alt-php56-opcache_5.6.40-123_amd64.deb
    sha:2bc131dabd51936405cf2199ac5e682f38b47ec7
  • alt-php56-pdo_5.6.40-123_amd64.deb
    sha:4dd7c334e46045813c811c122764a3d6cf069d91
  • alt-php56-pgsql_5.6.40-123_amd64.deb
    sha:3d854ec38403e515e308340d6ae4f9da32a14722
  • alt-php56-process_5.6.40-123_amd64.deb
    sha:25002afbb57aa31bd47d988f06f1537002e5e42a
  • alt-php56-pspell_5.6.40-123_amd64.deb
    sha:4aeddab268ca3b689cf92daf2721f79edd3c7b1e
  • alt-php56-recode_5.6.40-123_amd64.deb
    sha:a9bfdcc9f2208b4e9ee313f6647e568d517170b3
  • alt-php56-snmp_5.6.40-123_amd64.deb
    sha:38d1e310b6b0d453f31eb4c4b946224c0852780b
  • alt-php56-soap_5.6.40-123_amd64.deb
    sha:567bd9e5633a52d23e732e7d682ed95d59370f5c
  • alt-php56-sybase_5.6.40-123_amd64.deb
    sha:2cfdfa064c450f2fa27c7444d83c4766e7b079cf
  • alt-php56-tidy_5.6.40-123_amd64.deb
    sha:20ecdfcd7a648c6e4d5655a824d3f71237116517
  • alt-php56-xml_5.6.40-123_amd64.deb
    sha:c7dfd8fa7059aff8a174860b5c00f26483b5be95
  • alt-php56-xmlrpc_5.6.40-123_amd64.deb
    sha:1c037a50cd74e2e6d207fbb4202cfb19ad3a5791
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.