[CLSA-2026:1779365721] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 12:15:28 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.6-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.6 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.6-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.6-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.6-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.6 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php56_5.6.40-123_amd64.deb
    sha:4373670707e443db2de269c39432c2f03fc4f0b6
  • alt-php56-bcmath_5.6.40-123_amd64.deb
    sha:776ef0ff061600d70765893095c1cd61cfd10c2b
  • alt-php56-cli_5.6.40-123_amd64.deb
    sha:59f9a1fda50ae280e8fcde58b6cb08a66f0262f1
  • alt-php56-common_5.6.40-123_amd64.deb
    sha:a9c4cfdd40b3fbddf2d67e18b527be90e2726e66
  • alt-php56-dba_5.6.40-123_amd64.deb
    sha:bf18aae97a1aa9b3ee0ba4a138f5f751ef5d729b
  • alt-php56-dbx_5.6.40-123_amd64.deb
    sha:9ddef158695ac87aa51cfccc3e1dbafe63208e91
  • alt-php56-dev_5.6.40-123_amd64.deb
    sha:d80b18d954511a9560010ba10750d7a07e93771d
  • alt-php56-enchant_5.6.40-123_amd64.deb
    sha:e5b7f8c2c51bdd06663ca72e48e11b2a64cc195c
  • alt-php56-firebird_5.6.40-123_amd64.deb
    sha:0f5444fda91b108655281fc08d5bf1813158305f
  • alt-php56-fpm_5.6.40-123_amd64.deb
    sha:4c71d0e6cadf89d37816193971d4060b579da67a
  • alt-php56-gd_5.6.40-123_amd64.deb
    sha:e3abf643a186d4a6b6580c2e4cd7237d60ddc11c
  • alt-php56-imap_5.6.40-123_amd64.deb
    sha:0ab394b0a43ffe82e00fe89227b83c5bf7e81e05
  • alt-php56-intl_5.6.40-123_amd64.deb
    sha:2877ec4e973f1485a52b0c16427f2a12fca865f9
  • alt-php56-ldap_5.6.40-123_amd64.deb
    sha:e505b1c811274f8c149720a01fd7ed96b0747915
  • alt-php56-mbstring_5.6.40-123_amd64.deb
    sha:bbebe40255eaca937eb1cf31b4dd35bb469451a2
  • alt-php56-mcrypt_5.6.40-123_amd64.deb
    sha:c5e46ec12d6ee2bdd104951ef63532d14ff7fe85
  • alt-php56-mysqlnd_5.6.40-123_amd64.deb
    sha:dca90606aeb7b1cf29d25ba2d0cb09d84ecf9189
  • alt-php56-odbc_5.6.40-123_amd64.deb
    sha:a29e51a039eb6f07240397716d45b80a68b482f5
  • alt-php56-opcache_5.6.40-123_amd64.deb
    sha:ae8a073ce69ae7a3212b160e9be2463c924b5b43
  • alt-php56-pdo_5.6.40-123_amd64.deb
    sha:672364b4706d659ed1b45a9a2b735a95271af3f2
  • alt-php56-pgsql_5.6.40-123_amd64.deb
    sha:f414d9f4448c91134da13df0300c07c538214be9
  • alt-php56-process_5.6.40-123_amd64.deb
    sha:830a1f6a86b83c369c1f4b6b19324ff70bba1d02
  • alt-php56-pspell_5.6.40-123_amd64.deb
    sha:c021b3de757f239204113ab24e347bbe2f9119cd
  • alt-php56-recode_5.6.40-123_amd64.deb
    sha:9031f0a9a20aaf925a08c418191e679ade6ee4bb
  • alt-php56-snmp_5.6.40-123_amd64.deb
    sha:3bdb722424bc05f163ecba29a3f9dcd20e242f16
  • alt-php56-soap_5.6.40-123_amd64.deb
    sha:d2039dba709c241df36b00c2d150c2312e28de1d
  • alt-php56-sybase_5.6.40-123_amd64.deb
    sha:ac2c38adb8bed60b0aede01a91b64958a62a3b1e
  • alt-php56-tidy_5.6.40-123_amd64.deb
    sha:4c3db5d9cf30587b62d0a1e7b329c0a4ef5bbe53
  • alt-php56-xml_5.6.40-123_amd64.deb
    sha:1bf8de95a4ada598b033ba0ba79c2bcc8886d794
  • alt-php56-xmlrpc_5.6.40-123_amd64.deb
    sha:5858cd260d8a4b34e6739c8bff4e54cdb361bc27
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.