[CLSA-2026:1779362339] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 11:19:14 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.6 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.6 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php56_5.6.40-123_amd64.deb
    sha:9e99a313d93dd3138007aed3138c420a77832e1d
  • alt-php56-bcmath_5.6.40-123_amd64.deb
    sha:bbc80005b88c13b123e234e5c801f2b8135ad67e
  • alt-php56-cli_5.6.40-123_amd64.deb
    sha:7d3c63e2b697892649da1c0e438c1970a4f2e5a8
  • alt-php56-common_5.6.40-123_amd64.deb
    sha:df65ff3e72c63f43f7d8d9f8b8de9f3280ceef8f
  • alt-php56-dba_5.6.40-123_amd64.deb
    sha:f6a2fbccf13634b68a40938cf924fcd10761db77
  • alt-php56-dbx_5.6.40-123_amd64.deb
    sha:c51cc564a5bcf4b583175f3bdd282bb1b5f14060
  • alt-php56-dev_5.6.40-123_amd64.deb
    sha:300f5fed65c1cc47673070963d029cc2575808a3
  • alt-php56-enchant_5.6.40-123_amd64.deb
    sha:f9cd29b041746c1014781fbc5efaa3096c5f91bd
  • alt-php56-firebird_5.6.40-123_amd64.deb
    sha:a348724972b5c125e64d2940f98ad5d04406d9de
  • alt-php56-fpm_5.6.40-123_amd64.deb
    sha:cffc47c30d897dcea618d41fc9024f8ee3a9c2ff
  • alt-php56-gd_5.6.40-123_amd64.deb
    sha:a9c1cbdc2bc06c68978985226e194aa60171a3b3
  • alt-php56-imap_5.6.40-123_amd64.deb
    sha:ff6f75ba2829ebd6206926aa3ad42f8af4d13108
  • alt-php56-intl_5.6.40-123_amd64.deb
    sha:2345147a901e392dadb355385dc054fc4f990b39
  • alt-php56-ldap_5.6.40-123_amd64.deb
    sha:a0af111a79f964ce2cc2601102fec5df4bf94286
  • alt-php56-mbstring_5.6.40-123_amd64.deb
    sha:a7e5b53c9f389894e5bf3aad07409126a0d0e4d7
  • alt-php56-mcrypt_5.6.40-123_amd64.deb
    sha:25bb95f84c66152791d8827d33c06cdedea22995
  • alt-php56-mysqlnd_5.6.40-123_amd64.deb
    sha:39f42bac4231f1215ec4f8a260cc394dcdb8ab9b
  • alt-php56-odbc_5.6.40-123_amd64.deb
    sha:c86b097d0383c7acccd06b779ca5a0bfc7c6517b
  • alt-php56-opcache_5.6.40-123_amd64.deb
    sha:7ce7621acfad892dbadfdc45526b95d71b944ffa
  • alt-php56-pdo_5.6.40-123_amd64.deb
    sha:11fbba6e1b00f6ccce25c95d75fd247dc556a5d8
  • alt-php56-pgsql_5.6.40-123_amd64.deb
    sha:96b06a9b3a95b2a162bccdd29dbf2c7b966c63fa
  • alt-php56-process_5.6.40-123_amd64.deb
    sha:8376f6de8e57c16bcd6717426ee603de5c49f240
  • alt-php56-pspell_5.6.40-123_amd64.deb
    sha:4bc481a2a8f74df9ebba2b38051cd79f6f093dc5
  • alt-php56-recode_5.6.40-123_amd64.deb
    sha:559645ff5bd8cdd92215095bafd5a032f1ba5da2
  • alt-php56-snmp_5.6.40-123_amd64.deb
    sha:fc3037f37298ade7562dffbce3d406419ce4e530
  • alt-php56-soap_5.6.40-123_amd64.deb
    sha:1c2b01563b022b5198fd6b70e80f813408bdb3f4
  • alt-php56-sybase_5.6.40-123_amd64.deb
    sha:74ea6d123c704a45f9451d9d4d22f634bc570c2c
  • alt-php56-tidy_5.6.40-123_amd64.deb
    sha:02637f163da3497dd1fe83a68c0f0e105abd9b68
  • alt-php56-xml_5.6.40-123_amd64.deb
    sha:8f3d01b153ad4ceb887fe9aca7298519c7fb7986
  • alt-php56-xmlrpc_5.6.40-123_amd64.deb
    sha:a1ca4b248c37304fea49f9ad044286432fe54b7c
  • alt-php56_5.6.40-123_arm64.deb
    sha:2e094c66e0a520967b2ee9702d152539088e6822
  • alt-php56-bcmath_5.6.40-123_arm64.deb
    sha:067452d20233c006589a6c5174c21c2eacee17f8
  • alt-php56-cli_5.6.40-123_arm64.deb
    sha:d17a0feaf0928fe3f5f1163edb0dfcebd5220ee8
  • alt-php56-common_5.6.40-123_arm64.deb
    sha:bf1e50b420321368e24fe6e2c49ce6397b802fda
  • alt-php56-dba_5.6.40-123_arm64.deb
    sha:5da94f9be3d21fa80ca227125f932a3263990d17
  • alt-php56-dbx_5.6.40-123_arm64.deb
    sha:208eb1ce8f7479c6a76f49088575f1d87cc6e52c
  • alt-php56-dev_5.6.40-123_arm64.deb
    sha:b06482a1ad89014805d2edf647b5668d8e6f6399
  • alt-php56-enchant_5.6.40-123_arm64.deb
    sha:bfc66a5b3c9c9281d5eb6c97d941060881eb8e9f
  • alt-php56-firebird_5.6.40-123_arm64.deb
    sha:1efec05a36cf20c2bba9770474d7be3d95b2560a
  • alt-php56-fpm_5.6.40-123_arm64.deb
    sha:0e4897a3d45cccedcade9fe47f9ad277e6863c2f
  • alt-php56-gd_5.6.40-123_arm64.deb
    sha:aaf9673be17d8698723c043a2e7901dc4fc2acb4
  • alt-php56-imap_5.6.40-123_arm64.deb
    sha:0ab91c9dfed56fee23b72b907f758db9ac479f55
  • alt-php56-intl_5.6.40-123_arm64.deb
    sha:412583dcdf92c82acdcb99e7ce7fe0be9943b2c7
  • alt-php56-ldap_5.6.40-123_arm64.deb
    sha:dfec368f53842732075bb7cd174af88d189109a8
  • alt-php56-mbstring_5.6.40-123_arm64.deb
    sha:87cf2e6bc63b620f85297f409c80850a15a39d61
  • alt-php56-mcrypt_5.6.40-123_arm64.deb
    sha:9d67a785f25734821a5a6ba5ad0d90b2ba0244d3
  • alt-php56-mysqlnd_5.6.40-123_arm64.deb
    sha:06ca05bc48df5766959131932e4930372f8687fa
  • alt-php56-odbc_5.6.40-123_arm64.deb
    sha:d6371dcf07020bf90c076af314e02492b5bc575b
  • alt-php56-opcache_5.6.40-123_arm64.deb
    sha:6b61da9cc48c0095b97a81c6ddc4b52363083617
  • alt-php56-pdo_5.6.40-123_arm64.deb
    sha:771e1111b36e3a4e204b19a5984aca1937019c9c
  • alt-php56-pgsql_5.6.40-123_arm64.deb
    sha:69c6339ae10b1f29e7a7ed3d1bfe7d87ce86b27c
  • alt-php56-process_5.6.40-123_arm64.deb
    sha:e59dc28e3293e5ee32f59a5e8476901dfa9069bf
  • alt-php56-pspell_5.6.40-123_arm64.deb
    sha:acbe290ea7be10d9790c8ba4edbcad5b078742e3
  • alt-php56-recode_5.6.40-123_arm64.deb
    sha:8eef5bdb93f33026516cc99cfb065c6b45bb2218
  • alt-php56-snmp_5.6.40-123_arm64.deb
    sha:3631b035e79121b2d323e1dc0d232e20fc167ea1
  • alt-php56-soap_5.6.40-123_arm64.deb
    sha:30935917051f0855348aec4e432ebb2d01977868
  • alt-php56-sybase_5.6.40-123_arm64.deb
    sha:84e9809bf2162e7c2994cc9dbb03be5981c32f6c
  • alt-php56-tidy_5.6.40-123_arm64.deb
    sha:3aa4831558308b34e98309fa927474eb39167b99
  • alt-php56-xml_5.6.40-123_arm64.deb
    sha:414dc86b3381153fed1dbc85bf5ff53595df5131
  • alt-php56-xmlrpc_5.6.40-123_arm64.deb
    sha:a15a23b12915ecaddd78d2073b747b85cfba9462
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.