[CLSA-2026:1779370897] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262

Type:

security

Severity:

Critical

Release date:

2026-05-21 13:41:43 UTC

Description:

   * SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
     - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit
       aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
       to pre-PHP7 zval** SOAP API.
     - Note: the 5.6 backport applies the addref half of the upstream fix only;
       the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
       intentionally omitted because in 5.x ref_map is heterogeneous (stores
       both xmlNodePtr and zval* entries through the same API) and a
       ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
       closes the UAF; cost is one bounded zval leak per request, released
       with the emalloc pool at RSHUTDOWN.
     - CVE-2026-6722
   * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
     item missing  element
     - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit
       79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
       to_zval_map() (was checking xmlKey, should check xmlValue).
     - CVE-2026-7262
   * SECURITY UPDATE: soap extension use-after-free after header parsing
     failure with SOAP_PERSISTENCE_SESSION
     - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit
       db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
       sites in the header-handler failure paths with a
       persistance!=SOAP_PERSISTENCE_SESSION guard.
     - CVE-2026-7261
   * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri
     and query_string
     - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit
       99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus
       `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel
       escape block for request_uri.
     - Note: upstream (PHP 8.x) routes JSON status output through
       php_json_encode_string(), which is not exported on 5.x. The 5.6
       backport therefore applies the same HTML entity escape to both the
       HTML and JSON paths via the shared request_uri / query_string
       buffers. Consumers of `/status?json` will now see HTML-entity-encoded
       bytes in those fields (e.g. `&` instead of `&`); entities decode
       back to the original byte but JSON consumers must be prepared to
       handle them.
     - CVE-2026-6735

Updated packages:

alt-php56_5.6.40-123_amd64.deb
sha:57a6d117ec029633c147424c0887bd1ad8564a7a
alt-php56-bcmath_5.6.40-123_amd64.deb
sha:964e34589ee311c8cdf0ab080403d0abecea86d5
alt-php56-cli_5.6.40-123_amd64.deb
sha:1777fdb558240f44144564c4805066ddfa998bdb
alt-php56-common_5.6.40-123_amd64.deb
sha:8076a6f07143782d45d7b8a4d490c35181fd26d2
alt-php56-dba_5.6.40-123_amd64.deb
sha:a10d02f082e68dff98f21668be965d7bac8d7b62
alt-php56-dbx_5.6.40-123_amd64.deb
sha:19c280c8aa472f88b0e7f19d4719b95c7ef809a8
alt-php56-dev_5.6.40-123_amd64.deb
sha:a00d00a70fbb8c49888ac3fa56092f82e7dea558
alt-php56-enchant_5.6.40-123_amd64.deb
sha:7ea200348e9a5f4c1455a2406bf50958fe95e437
alt-php56-firebird_5.6.40-123_amd64.deb
sha:b46c4e47d39e7ab4278aa3d37b38a1a4b625276b
alt-php56-fpm_5.6.40-123_amd64.deb
sha:0f5b97caf0d81f6b964a7cafd1d75a071ed79afd
alt-php56-gd_5.6.40-123_amd64.deb
sha:dbb7ce0c3a048e3caa9753c97c9bee91f112e12f
alt-php56-imap_5.6.40-123_amd64.deb
sha:bf4365eb13adacc8c5abe73126c34be154bc1fa9
alt-php56-intl_5.6.40-123_amd64.deb
sha:23366fba40e99fdd016af3049e9adb68f25848b5
alt-php56-ldap_5.6.40-123_amd64.deb
sha:896530e887e14a0f254bf7e51e06bdf9e9c47fd6
alt-php56-mbstring_5.6.40-123_amd64.deb
sha:4f1a64999d915a9960f2b462e3bfe963f5b44e49
alt-php56-mcrypt_5.6.40-123_amd64.deb
sha:5481523a27fa62eb196883a175ce9d77d40efcb7
alt-php56-mysqlnd_5.6.40-123_amd64.deb
sha:859a49e9a81e5de7eb1e6c62319919ac9ef9b449
alt-php56-odbc_5.6.40-123_amd64.deb
sha:cd5f912efebf950c3470e8865891cc515aa91041
alt-php56-opcache_5.6.40-123_amd64.deb
sha:07bb74b5e8fa637ca483c3d39cf94d36e1e5ef7b
alt-php56-pdo_5.6.40-123_amd64.deb
sha:2572a3e9abe0998ed87346aa650abc2569d36916
alt-php56-pgsql_5.6.40-123_amd64.deb
sha:e301286f2b31318e1da046488cba09bd63a8fce8
alt-php56-process_5.6.40-123_amd64.deb
sha:1754c4714a7685b50c4d5fad6a6553df2bf09ccd
alt-php56-pspell_5.6.40-123_amd64.deb
sha:4de4d2e58f50e62ae0ebc2e711e3259ad9e9884a
alt-php56-recode_5.6.40-123_amd64.deb
sha:c7f579f49542048db28266bcd872d39a0a608a96
alt-php56-snmp_5.6.40-123_amd64.deb
sha:1db95d8c389db2aa899ee92dea36e2d4618d0d44
alt-php56-soap_5.6.40-123_amd64.deb
sha:c8a7012e973dc1e6c98f21070372270de94d03d5
alt-php56-sybase_5.6.40-123_amd64.deb
sha:4596ad2f27c6bcf23177d8406502bd9c7d414db3
alt-php56-tidy_5.6.40-123_amd64.deb
sha:4cf1b2ca42a06d60653f27fceed205b351ef9790
alt-php56-xml_5.6.40-123_amd64.deb
sha:45c525d10db108b976abc02a8b981cc84d11a5df
alt-php56-xmlrpc_5.6.40-123_amd64.deb
sha:3d906aa3cc70bcdaf6d6c42b8a54d4e625d5a8f5

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.