[CLSA-2026:1779365279] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262

Type:

security

Severity:

Critical

Release date:

2026-05-21 12:08:05 UTC

Description:

   * SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
     - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit
       aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
       to pre-PHP7 zval** SOAP API.
     - Note: the 5.6 backport applies the addref half of the upstream fix only;
       the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
       intentionally omitted because in 5.x ref_map is heterogeneous (stores
       both xmlNodePtr and zval* entries through the same API) and a
       ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
       closes the UAF; cost is one bounded zval leak per request, released
       with the emalloc pool at RSHUTDOWN.
     - CVE-2026-6722
   * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
     item missing  element
     - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit
       79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
       to_zval_map() (was checking xmlKey, should check xmlValue).
     - CVE-2026-7262
   * SECURITY UPDATE: soap extension use-after-free after header parsing
     failure with SOAP_PERSISTENCE_SESSION
     - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit
       db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
       sites in the header-handler failure paths with a
       persistance!=SOAP_PERSISTENCE_SESSION guard.
     - CVE-2026-7261
   * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri
     and query_string
     - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit
       99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus
       `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel
       escape block for request_uri.
     - Note: upstream (PHP 8.x) routes JSON status output through
       php_json_encode_string(), which is not exported on 5.x. The 5.6
       backport therefore applies the same HTML entity escape to both the
       HTML and JSON paths via the shared request_uri / query_string
       buffers. Consumers of `/status?json` will now see HTML-entity-encoded
       bytes in those fields (e.g. `&` instead of `&`); entities decode
       back to the original byte but JSON consumers must be prepared to
       handle them.
     - CVE-2026-6735

Updated packages:

alt-php56_5.6.40-123_amd64.deb
sha:ada53722c13198213a92f666e7c6628ad0777b6f
alt-php56-bcmath_5.6.40-123_amd64.deb
sha:1ac25e965dba7c264f6fa71fb14c63288b261ab5
alt-php56-cli_5.6.40-123_amd64.deb
sha:f893191315bc4b303ca404772145aa7ee475d12c
alt-php56-common_5.6.40-123_amd64.deb
sha:c4f1d0eedb678487066146e673e7fa8a3ebb71b1
alt-php56-dba_5.6.40-123_amd64.deb
sha:b66252dbac51745ae3e2ffc79b6c2d37ca203da9
alt-php56-dbx_5.6.40-123_amd64.deb
sha:cc55e6119463c315b9cba1d2b29dfa2e40fddc6a
alt-php56-dev_5.6.40-123_amd64.deb
sha:530ffd09c72f1409e841c9beac8ce2f14f57ff47
alt-php56-enchant_5.6.40-123_amd64.deb
sha:5bbdee4293c79a2b11521497d12229ee19b433f1
alt-php56-firebird_5.6.40-123_amd64.deb
sha:748b568574c5696aaa405fe9ab4b630d450b91de
alt-php56-fpm_5.6.40-123_amd64.deb
sha:94d9afec009f1aa48e0a8802bdb15844e1f2f00b
alt-php56-gd_5.6.40-123_amd64.deb
sha:4e8dd73f08fc21e40bd51358b7aef027071202bc
alt-php56-imap_5.6.40-123_amd64.deb
sha:26c6195cd3f7822ac7944c53503301bc6d1f1854
alt-php56-intl_5.6.40-123_amd64.deb
sha:dfdac7ad371c6d9e6a82d99c4a3a95cf95d180b7
alt-php56-ldap_5.6.40-123_amd64.deb
sha:dda728f4ae9cf3f69ea7fa8b7163a74b9a975d2e
alt-php56-mbstring_5.6.40-123_amd64.deb
sha:872999ee0a6a80464f8865b21c85e6f8699d3252
alt-php56-mcrypt_5.6.40-123_amd64.deb
sha:4d9bd6dd424f2d59d84320f95fe686d4162f3610
alt-php56-mysqlnd_5.6.40-123_amd64.deb
sha:9179cad7db2e804587a35c9dd2ebeb5ab6241c2b
alt-php56-odbc_5.6.40-123_amd64.deb
sha:f3fdbdb70c67c25896a8aa5113e916ae1f76a3e4
alt-php56-opcache_5.6.40-123_amd64.deb
sha:13e0d1183344e70c3ea8150083c2c1ca9f073205
alt-php56-pdo_5.6.40-123_amd64.deb
sha:5498652d7d782fe8855e6392c71fd7ad4b131fda
alt-php56-pgsql_5.6.40-123_amd64.deb
sha:046734298e53b942490a82bd8f0b34bdf35caad6
alt-php56-process_5.6.40-123_amd64.deb
sha:b83c1bbbf784d2faf0ecdc635596a4931625042f
alt-php56-pspell_5.6.40-123_amd64.deb
sha:2e8a9490a7c6fd1115d7bfa03ee498a3d9511d66
alt-php56-recode_5.6.40-123_amd64.deb
sha:c56e53b88cd4050d8221835c6a55d938ff3cc127
alt-php56-snmp_5.6.40-123_amd64.deb
sha:769d58c494e5fe1e05ee60c283256a69f55f0745
alt-php56-soap_5.6.40-123_amd64.deb
sha:12b9e3f898764b8e6372414f77a46df4c2035213
alt-php56-sybase_5.6.40-123_amd64.deb
sha:4e2a06b538099d148e0073c4aa3eb324cd6427c2
alt-php56-tidy_5.6.40-123_amd64.deb
sha:4141504a45fcb04175c9e625e0bf6d5e43da2a19
alt-php56-xml_5.6.40-123_amd64.deb
sha:e66b7ef0b7e31ebef943e23b03482280f655a314
alt-php56-xmlrpc_5.6.40-123_amd64.deb
sha:11130a2493efe8c030ec2d1082de3ea0979a9fa7

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.