[security - high] php:8.2 security update
エラータID: AXSA:2026-752:01
Release date:
Wednesday, June 3, 2026 - 19:08
Subject:
[security - high] php:8.2 security update
Affected Channels:
Asianux Server 8 for x86_64
Severity:
High
Description:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
Security Fix(es):
* PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions (CVE-2026-7258)
* PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation (CVE-2026-6735)
* php: NULL pointer dereference in SOAP apache:Map decoder with missing (CVE-2026-7262)
* php: signed integer overflow in metaphone() (CVE-2026-7568)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-6735
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
CVE-2026-7258
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
CVE-2026-7262
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
CVE-2026-7568
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Modularity name: "php"
Stream name: "8.2"
Solution:
Update packages.
CVEs:
CVE-2026-6735
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
CVE-2026-7258
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
CVE-2026-7262
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
CVE-2026-7568
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Additional Info:
N/A
Download:
SRPMS
- libzip-1.7.3-1.module+el8+1985+874a7f9e.src.rpm
MD5: db6ed7969f8657ab7e8c64f1677addbb
SHA-256: baa7a9a65a0460b0c49af8beaa6a8849c802b3eeb86b3d58dfd4961d5423ce8e
Size: 746.87 kB - php-pear-1.10.14-1.module+el8+1985+874a7f9e.src.rpm
MD5: ef2b7f62bd548416272fab9fb931af71
SHA-256: 415652c5b800de2886a0085a61782b14d7c8d127d07228e277999896883c8f57
Size: 380.78 kB - php-pecl-apcu-5.1.23-1.module+el8+1985+874a7f9e.src.rpm
MD5: db96bf7347ec3ba2fc4a2eb7937b5048
SHA-256: 4a4089631ce5cebbc6394c72beef2674225b648f814ce4963ee934db4e8ea835
Size: 105.42 kB - php-pecl-rrd-2.0.3-1.module+el8+1985+874a7f9e.src.rpm
MD5: 3fc892e61fe81854322d65d6ba247342
SHA-256: 2144dd8e1279db177cc6157d7d221a05dd4518eff6f20b804003d6f925f5478b
Size: 33.67 kB - php-pecl-xdebug3-3.2.2-2.module+el8+1985+874a7f9e.src.rpm
MD5: a536f79ba9c1ac0d417c3a2bdc312540
SHA-256: c4014655a355e274dd183737a689a5fb2fec8a411008101874eb0d9d112c073a
Size: 465.77 kB - php-pecl-zip-1.22.3-1.module+el8+1985+874a7f9e.src.rpm
MD5: 6d472b277c0592bb4541ca4885798e26
SHA-256: 3de025e5c836cd92b70318cc601fa7b7b33a184adfb4337b43b5998c2f8df0eb
Size: 368.63 kB - php-8.2.31-1.module+el8+1985+874a7f9e.src.rpm
MD5: 42054c09bd62c9f8906f3af4783147a5
SHA-256: 18e10beb9f53d0b7fc8b6e0952fdc7b6ea49daf564ff81a0bff1c4de2c909c78
Size: 11.77 MB
Asianux Server 8 for x86_64
- apcu-panel-5.1.23-1.module+el8+1985+874a7f9e.noarch.rpm
MD5: f0a99ef718757db03bff27b9c1b0e20a
SHA-256: b9bdca1c8b0b5321db018eb48188495cd7c94f6992451920377fea7a38144cf0
Size: 22.84 kB - libzip-1.7.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 0a819a8dbbb172c9ea37625a2f30473e
SHA-256: 9895835d3e782e2e3fe0fe20491a4ff692f9b185033bb6f796c5612408331ac9
Size: 65.98 kB - libzip-debugsource-1.7.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 970f66297b60eaac92d046e606dff230
SHA-256: 679b29958f6b879142be6fcc3b55f8551e4fac8b3f8661d439d671c04b1e1570
Size: 104.79 kB - libzip-devel-1.7.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: c562dcc43af83a2e64e3769117b365b5
SHA-256: 9b5c4a34ec1cc2ae1c8748624635a67ee44111993345d8e35600c839146e3577
Size: 188.59 kB - libzip-tools-1.7.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 2748ba36cbad09a07dc5429317f5e824
SHA-256: af985f78fc34395233b07189c5feb26051d45fd2d2e666d67c881ee56d830d14
Size: 43.13 kB - php-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: ef5e7de663c9fb139d4b8af34f05f7c5
SHA-256: f9d4a7b2094fa88f07df14f340b5d3a63780918ae7a93ed23c5abdd10adfebbf
Size: 1.80 MB - php-bcmath-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 4806b386241240b1d9067cea58b170c8
SHA-256: ef7ab626f5a6fa34fb4e7499b22a5803598526a5182eadb3691bf9a16b724539
Size: 80.15 kB - php-cli-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 757365bf87f3d8121d0cf50fc3321fce
SHA-256: fef190a19fdd16ca0cf8a8c0551c3a4c522a60b15a5f38486a78291943307032
Size: 3.64 MB - php-common-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 9dc723a7bbd1604646ca6efed2d2f086
SHA-256: 0588ae432907c4dd9fd639e88654bb07cd28a604c820cad875cf55d4e6deb1fd
Size: 749.18 kB - php-dba-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 07ee3ff65bbbe757ff98f4d0d9224cb6
SHA-256: 032e1a61eea310634035ed150e675997b6104b8aacdf6b0140b6282fbbc92c38
Size: 80.72 kB - php-dbg-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 0f8e1bb1a379867467899350164393e2
SHA-256: cdc40d67ccf3659555d79ad3e705b0e8ef6915f1a8abebb023ea46a7aaceda3e
Size: 1.89 MB - php-debugsource-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 0907828e311f3fbf3f0f97cddf3a527b
SHA-256: 65e1f864bb787a0a7054ee94c4849f4c529f1323a4ebaccad01bd73ee7682d4a
Size: 4.58 MB - php-devel-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 2d9d79fc50a9d78aef08333e73a49404
SHA-256: d94f8d99a1e4ca658ccf347dcb55083ee2605f13296a4469abce0991da74e0f1
Size: 826.77 kB - php-embedded-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 4c112e68176dbc18658c4f5d49fea46f
SHA-256: fe60fc9e0175195297b29c026ba980556270f2313b2b259b6bc6ec68ea4cab73
Size: 1.79 MB - php-enchant-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: fbf56a2b4b6fef3539b476e7e11505c6
SHA-256: cf90ff73896695b9d9187330ef84527b7bceffb028aa89a0fc82531cb077ccaf
Size: 64.77 kB - php-ffi-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 639ae724ca657add7ae34536d6b7b0e4
SHA-256: 085e93dfe3f2e186a427be620d60e5f4733f6f55533033b4083baeab753fcdce
Size: 121.63 kB - php-fpm-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 068525be86c12267b0996b6b529b2576
SHA-256: 8e02a00de63f41104c23dcf5c4f848822ecb65a56b06fe02e9f22d1175e2324f
Size: 1.89 MB - php-gd-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: c7d1052f97fea6f4c75599be917fa2e8
SHA-256: 19b5a360310e5e5b1b3b1512529b038ce0b8e7775e12bfaabe8dc427374e1026
Size: 86.15 kB - php-gmp-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 1e95ae6efd5de12b512aeb2272196daf
SHA-256: 614478604cd3257e507539a06c2c310495f345e8a7021938dfc50daf2c9b2ce9
Size: 79.16 kB - php-intl-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 41c2c730252b8bd1b9f7f95ebd9a5552
SHA-256: 2a585d562a4935b9716a2978bd88e963914831e7fa8e1f44248a63095e32bebd
Size: 205.90 kB - php-ldap-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: a03dcd329510f8dd6d308d219e242611
SHA-256: be724a8d30225631dbe8b3f36b4ff0290662b36fbe45b2272777be4378af0609
Size: 87.63 kB - php-mbstring-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 50c797f999cac5368218ef7da6d01c0f
SHA-256: a9091de7427945b3cb03f305ffa6b8cfecf4c4b17a394b422f4abfc4c3e71a4b
Size: 528.32 kB - php-mysqlnd-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: ac6da324285638d81ed5665c46797e50
SHA-256: 974cca30f4c1aa33490c7bc163f7b59c98e4173d5996df9841f67866fdec1d9c
Size: 188.61 kB - php-odbc-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 8afffee6cc4d2d8e8a9580599edb18bd
SHA-256: d511a14b24344e8dcd4e84a514834a37db5076f899363753a641ebead2c93bf7
Size: 91.95 kB - php-opcache-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 1f936100950e717a49937432442e32a8
SHA-256: 54601039c452a9a2d88ee8fb86c0a581bafe52c9f48ece538769c2a76461839c
Size: 415.03 kB - php-pdo-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: d2f9a843823061cdffd1e112aa43bdf7
SHA-256: a6f4580d0301985289e1190c105263bd0049bf37427f5361d4cd6910be646c0f
Size: 133.33 kB - php-pear-1.10.14-1.module+el8+1985+874a7f9e.noarch.rpm
MD5: e0a1ff8121dc52eea2f4392a671d64ac
SHA-256: 7e08217790ebddbddaf2ef6e1c30616c935d96a2f665a241325c0b380a11ee8b
Size: 360.82 kB - php-pecl-apcu-5.1.23-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: b21c0f36904f423343011eb3fc364e1a
SHA-256: 98eb9b24f188c2d3b2b7230a500d2baed6d0eeaf42f2f0d1e72cf281e5a802c9
Size: 62.52 kB - php-pecl-apcu-debugsource-5.1.23-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 022a817b78936453e8e13f71c52b53bb
SHA-256: 29e2c1c36154ce1f30c0483be1ca60c44028ec41aeac8769b6455dbc84dfb15a
Size: 51.52 kB - php-pecl-apcu-devel-5.1.23-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 56baf81f06303f3ca9a5da9a751d3e41
SHA-256: 12a6cf0e0cfbb48802b2b01cfa480eb24b2d219f7cdb1ef9d2756b3a0ee6bf64
Size: 45.82 kB - php-pecl-rrd-2.0.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 3571ecde24ca4ab2011836bdf2aaec38
SHA-256: 2b695fb89317dfddc3bff0e821638e19615e002cf4f29e7536942f19abac7226
Size: 30.75 kB - php-pecl-rrd-debugsource-2.0.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: a2639640acd026c825eae608ced201e4
SHA-256: 9e3f5ad50b7e785e724815ef3f56ed09c8017de2c9f6e258f408bc9b2eb3bf4f
Size: 22.50 kB - php-pecl-xdebug3-3.2.2-2.module+el8+1985+874a7f9e.x86_64.rpm
MD5: ed1b80f03e5c46267feda7b2b435e5f2
SHA-256: cbd0c5b0a40252cb792bfa690f8d7c2e9a997f5b85ad4fc46925e652b2e4bed5
Size: 211.63 kB - php-pecl-xdebug3-debugsource-3.2.2-2.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 8b1c81f051a89aeb3a7e20635d0050c4
SHA-256: 325a9c471f1cbf21202469196175fc71768f158eecbdfc00352f3c8c73ec08e0
Size: 159.66 kB - php-pecl-zip-1.22.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 534433cac3722212a72b19c113276afe
SHA-256: 77c09e2930f9e639894ce3eb2070e9a7a0266ad14884df9016eb745f903e2591
Size: 59.57 kB - php-pecl-zip-debugsource-1.22.3-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 76b6ef3146f6a9af22a096166c11ae2b
SHA-256: c78499bb6e299c15bea7cc3b5c54bc6dad15e03aae23cce9ee082a0a0ca2891e
Size: 36.09 kB - php-pgsql-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 3140c0aa14d6addb47d543f8cdaafaca
SHA-256: f5cd0c8c67c1424665a21c7d1cbbbe0d54f2f3e5d907e84750ef0ce7b6f2559c
Size: 121.86 kB - php-process-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: c36f57c3618aa19de2c70f0dd5b16f75
SHA-256: d712c24f322f47399a2981ce288d7d761a233c5d5ed51b67785d8bce2addc664
Size: 86.97 kB - php-snmp-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 632f384efa352a8da20846c037e78603
SHA-256: e5d06e5703ce8be77aaa503d41fce54e1b1ffa73a2cab94094425dc0e5717e08
Size: 78.20 kB - php-soap-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: e8a248aa74d26273a52158c5d2ddc2ad
SHA-256: 111362c6533ba6cb83c80d525343e5a5e0244b37d63209d703cdd3e22dcbd007
Size: 184.69 kB - php-xml-8.2.31-1.module+el8+1985+874a7f9e.x86_64.rpm
MD5: 2c7a8dadb473a2cff87f4e34b3ef8725
SHA-256: 955db04a5fa3095764337dff661bc1ecf7eaa9eca16b4204cd7ce49905b75749
Size: 189.07 kB