[security - high] php:7.4 security update
エラータID: AXSA:2026-1217:01
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
Security Fix(es):
* php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability (CVE-2026-6722)
* PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions (CVE-2026-7258)
* PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation (CVE-2026-6735)
* PHP: PHP SoapServer: Memory corruption and information disclosure via incorrect persistence handling (CVE-2026-7261)
* php: NULL pointer dereference in SOAP apache:Map decoder with missing (CVE-2026-7262)
* php: signed integer overflow in metaphone() (CVE-2026-7568)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-6722
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
CVE-2026-6735
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
CVE-2026-7258
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
CVE-2026-7261
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
CVE-2026-7262
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
CVE-2026-7568
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Modularity name: "php"
Stream name: "7.4"
Update packages.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
N/A
SRPMS
- libzip-1.6.1-1.module+el8+2000+9353ef52.src.rpm
MD5: f8fcd88b8e2736daedd6c9782c062908
SHA-256: 62242075fda0b93e8f76b1cc52c97576be685618c8b05ffee9003114a4f6d500
Size: 732.66 kB - php-pear-1.10.13-1.module+el8+2000+9353ef52.src.rpm
MD5: d01dc8394dfcdca439783acc273952b9
SHA-256: c5d85fd436430a34d0d7954f8d47375de985804ec53f585cc3c1d33add437386
Size: 380.39 kB - php-pecl-apcu-5.1.18-1.module+el8+2000+9353ef52.src.rpm
MD5: 36939acfb2f946358ac62c5a1f27c8ee
SHA-256: ecbfea1f58a9ae0195d3868b55d5dc46fd35927b40416202fabf1262ec1b7bbd
Size: 107.49 kB - php-pecl-rrd-2.0.1-1.module+el8+2000+9353ef52.src.rpm
MD5: 5868ee094eb4bda5f0c022d0d2c013bb
SHA-256: f1271e0451a1f0c608ab7180f22271b657ce50cf2b8f2032c68eed328549d82a
Size: 33.11 kB - php-pecl-xdebug-2.9.5-1.module+el8+2000+9353ef52.src.rpm
MD5: 63623cbf8f9b72291ed87a9e3bae56a1
SHA-256: 68c2d2000eb945c94abf7e73aabf814ee4c6d6b0ae5281527e611ff3b3e5b93f
Size: 442.81 kB - php-pecl-zip-1.18.2-1.module+el8+2000+9353ef52.src.rpm
MD5: e39582839bf5ca2af6a455c26b705ae9
SHA-256: b48d417114f07e2cd494bb10af3610f5d4a1eae44bc43826a8a46c7d4957d9bd
Size: 307.81 kB - php-7.4.33-4.module+el8+2000+9353ef52.src.rpm
MD5: 6abe57c16ea66ab3129e1ebdf96a1e7d
SHA-256: 289ef2fcf9d1bee6359b4ccc5ff78879c20e26181863b243c6383a501e621e6a
Size: 10.19 MB
Asianux Server 8 for x86_64
- apcu-panel-5.1.18-1.module+el8+2000+9353ef52.noarch.rpm
MD5: 86c008df761f89242968e5903610df62
SHA-256: 4de7609fb6d897b8aacd15a4f39ffcf3c6f7f31a786512f48a9a653290c850e1
Size: 22.29 kB - libzip-1.6.1-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 2cc50108e468315457708fee7420165c
SHA-256: 3d193725d98661c779804e765fd29b598ced28db274879bd390609e6e9ca0336
Size: 63.24 kB - libzip-debugsource-1.6.1-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 7bb393a77ffea3ac43575345ef25483a
SHA-256: 8139139a8594a2063fce733a7ad38d583d622d12c8883132eb15ca97616c4cca
Size: 100.34 kB - libzip-devel-1.6.1-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: aafef7fe5ede66e660a10414146a36e4
SHA-256: 779380d506ea293260f7569a486211fedf44a954dd605babbbd057764ea7e3b3
Size: 180.02 kB - libzip-tools-1.6.1-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: c8db7f49cafddfe15dfdc3ad9c945577
SHA-256: d35d7e79969b6b7149aa4c55589ce5ff3cc83992e56df75a958d07f7f06f338e
Size: 42.90 kB - php-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: d2df2434e420c74d2bfa52d65c7c8c65
SHA-256: 76e05e386f62313830e2552e43408a9ced3d358f6af61700091c5b7fda2f5a56
Size: 1.52 MB - php-bcmath-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 8d6828ad1c01d6493c456b9b077dee8c
SHA-256: 605fd7b2c9d2f6c32c4849fa0df77cdfe1f03f1d71481a2ccfb76ef999afd249
Size: 81.98 kB - php-cli-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: a35e1b0b69d35d244df74c6b74832c0d
SHA-256: dfbba6625e63450027086432ea4ac1ee34b09fa3c4941ba6b13a1078edf613d6
Size: 3.08 MB - php-common-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 8a3d51fc3c2d5f8839f633d3182d5089
SHA-256: 8a4270b963630ded301eeba2822e4c34447c73cde84a660d265585033ef320a9
Size: 709.49 kB - php-dba-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: bac77e41ebb248953e0934fbb40a18b6
SHA-256: 39f46ed4bcaefde5568068bbac351fc3d57e8a2dad104e4a10d124450c5ca5bb
Size: 80.74 kB - php-dbg-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 47e7e234c7145867314ab4efd5032b5d
SHA-256: d91be1ef49d3b9c0f8c1a1a293fb6949854cd632daa02e9b5b43b7517390d3d4
Size: 1.63 MB - php-debugsource-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 3255f772a3b32408f0b2be617d8145c5
SHA-256: af882ffc49c55ac41a81f06ec9b867b14d19fa51d3e92afa221bdcafc082b0e3
Size: 4.12 MB - php-devel-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: b0a8701b1c7284672623be988df503be
SHA-256: 09844c328f1285b3c646b5a21f36c0de2ec4ec809382926e329cc01da9df2631
Size: 731.74 kB - php-embedded-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: f470feebb3c89d319c7044431f8fbf6d
SHA-256: 03813aac81de9ecbcb00197cdcd37123de9f35b50a1df7819774d5dcbd6f87e3
Size: 1.52 MB - php-enchant-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: e74700759457a35f7212c90b6102d5e2
SHA-256: 08e6f1fffc7067538190f5c5535876e4c257f8b7d540082c5ed39a33b496f54d
Size: 66.67 kB - php-ffi-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 5a53dc5e823643756374b703670c5091
SHA-256: 9a2b4570c219ab0deaa136366f3da76f0d833642baf8a66a998177990a7bf086
Size: 118.93 kB - php-fpm-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: e2c8bf23af00df3511e1b586e399d102
SHA-256: d5e1f56d3fa3c874e9cae39d7294403fb787613cae2b70830982fbe15310d89a
Size: 1.61 MB - php-gd-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 867c4447c950460459b87dbd815f1a66
SHA-256: b692c3d61f0830b43cef631d1128b6e26e067534f71dcdf807237347d00c4c41
Size: 86.90 kB - php-gmp-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 45e2ef059b50cdc45160149bf5bd9177
SHA-256: f2f6fe31dcb1eb25a39d19fcda6ee1de050894195d1dea086f83324f8157d09f
Size: 78.70 kB - php-intl-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 9b5ccb3685e21e54a4ab63b14d086ed1
SHA-256: 53082a6c3b4cd006524c352520ae7eda2c1fbc565fdeaf941efd5d9f0a53337f
Size: 194.81 kB - php-json-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 0deaaf96036a00e2cebe2310f1f60f29
SHA-256: 537aa618f742f794604001cd3b9c38f73ca3141fa833a2319477a6026e178202
Size: 76.19 kB - php-ldap-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: fbd2e1faf577a589f0c53f0565c15f40
SHA-256: 4e13b28c3ad8efd06f32798e4083c457b5c1f4143e9ca8a71f701a4f594ce7d2
Size: 88.06 kB - php-mbstring-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 8c51acd3e8db039e71d3f7b00b622289
SHA-256: 714d2a5997b653d0bad0ac103dd29bc37ef4374307b2940c3540b7c86877cc11
Size: 485.62 kB - php-mysqlnd-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: ed58dc358018adf389de8e930133d309
SHA-256: e88bf5a67848c1e9c1ae3698cbd6916b37532c8323e52f83ce5cd328962e97ff
Size: 195.34 kB - php-odbc-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 21f10e8fe626d308861bf74a790b482e
SHA-256: 1c9ea2b0946b886bfd5743279017bd0797a78dfa3ef50cf31aa46ec851f1bbc2
Size: 91.97 kB - php-opcache-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 69d9a6eeedbbbad3b1f939d33b1e9188
SHA-256: 84b6221b53af83c720384e69302d906f1e5a3e41227d375a340ac8971325f829
Size: 269.16 kB - php-pdo-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 9536800f8e781fde1fa23afd93e75309
SHA-256: 47fca779efea807e4e0e9893a53c7df068ebc684545a175eb15435a6c3274357
Size: 125.06 kB - php-pear-1.10.13-1.module+el8+2000+9353ef52.noarch.rpm
MD5: 073abe2112aceefcbd9683f8c9314e55
SHA-256: 8954cf21285f195f96b9cab3dde35539c0ef2551021aa3c958705ec9a589a881
Size: 360.52 kB - php-pecl-apcu-5.1.18-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: c183c7c606c3c86b2135bc1acfa3d6f6
SHA-256: 4c18ab7d7b383c0057bee63e32241d13125ef36914dfd4d056d7425205333129
Size: 62.79 kB - php-pecl-apcu-debugsource-5.1.18-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 57d2e2fd2c9c1515be0f6ac80d012fb1
SHA-256: 4d33a884451d8c65fbc466553f9dc094492f13a74e8d9b03396b6228dbfd2344
Size: 49.51 kB - php-pecl-apcu-devel-5.1.18-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: b8305676300ed66c99ddefbed6a19bd4
SHA-256: 2d06b3f3e8cef390625ac73c2251c1cfe97236d25bf20a3cd64194a4635eff6a
Size: 46.15 kB - php-pecl-rrd-2.0.1-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 232c103527e3a5fdd86a280da65e7da7
SHA-256: 12e540d4241ec356e3b88e72813f1354f27a48eff526cc8001eb47e6fed381b8
Size: 30.51 kB - php-pecl-rrd-debugsource-2.0.1-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 087e6bc2b7c481837bdf404333386716
SHA-256: 193e506629b665230cefde317e8bfd96fbe7addeb11116abac59b1bc6406065b
Size: 22.38 kB - php-pecl-xdebug-2.9.5-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 1768c3422d9b16fb44c9d6dfe10f4ee7
SHA-256: 0976f5e68a99bf15119d7c74bc034cd0cf1dc139f1fd4e3785a695646c5b6347
Size: 176.25 kB - php-pecl-xdebug-debugsource-2.9.5-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: 020774d6fda50dd89f84cde2d3d00e5a
SHA-256: 4c2030239dccfe0ab4885e14f389a90d3da45f6c2ec1915e98156562bbc53ad4
Size: 134.23 kB - php-pecl-zip-1.18.2-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: fc39c029c7cab2bd14e6e1194fddc8c6
SHA-256: e90f66eaf5924cead8537d2aa2b59f71bcb5b507aaa76e3aa1cac197bfc804ce
Size: 53.56 kB - php-pecl-zip-debugsource-1.18.2-1.module+el8+2000+9353ef52.x86_64.rpm
MD5: a1424bdc6f0745d309acbf5afe03b291
SHA-256: 4c104d2398531d6877500f99a4b958630a22face851958d9fc371e27ba2e2271
Size: 31.19 kB - php-pgsql-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: d4a1bbac3df113d048ca579696b8a9da
SHA-256: 17b9065ec9b009d0fe9fe973aafcfba5e81d0d6c1466dfc309bba35f42924df9
Size: 121.20 kB - php-process-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: c22effc9cf35028f94a10023999cfab5
SHA-256: cda1abdac8aa1af1bf6cb551c75316a30ab07e81164fc192782c36f3b1f4c8f7
Size: 87.19 kB - php-snmp-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 673ad1592d62cde43eeb35ac0f6c79d5
SHA-256: 29a56a80390302f8d3c25c93cef00d977f47768f607eb8342f7c2d05285982b7
Size: 76.46 kB - php-soap-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: 45166ffe1b45681ff878f7ba52e339a6
SHA-256: cc422271e6747ba32dc83d8b829b2f3e3a8aa5324f899f62e79031448813d788
Size: 178.54 kB - php-xml-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: d42f2f28e0433788ef3f3f64f76e2614
SHA-256: a88d15b034f96ce38097839b80a024e370b46002214fb4a51c13c53d58a3b383
Size: 177.35 kB - php-xmlrpc-7.4.33-4.module+el8+2000+9353ef52.x86_64.rpm
MD5: c50529dac72a690ebf279806f132b312
SHA-256: 765cb84c06b3f24805d19fc08ee17c00579a60f4c6f6e9a5afaf847801f888b6
Size: 91.84 kB