Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN475 _____________________________________________________________________ DATE : 11/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PHP versions prior to 8.2.31, 8.3.31, 8.4.21, 8.5.6. ===================================================================== https://www.php.net/ChangeLog-8.php#8.2.31 https://www.php.net/ChangeLog-8.php#8.3.31 https://www.php.net/ChangeLog-8.php#8.4.21 https://www.php.net/ChangeLog-8.php#8.5.6 _____________________________________________________________________ Version 8.2.31 07 May 2026 Curl: Add support for brotli and zstd on Windows. FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) OpenSSL: Fix compatibility issues with OpenSSL 4.0. PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) SOAP: Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) Standard: Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) _____________________________________________________________________ Version 8.3.31 07 May 2026 Curl: Add support for brotli and zstd on Windows. FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) OpenSSL: Fix compatibility issues with OpenSSL 4.0. PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) SOAP: Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) Standard: Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) _____________________________________________________________________ Version 8.4.21 07 May 2026 Core: Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). Fixed bug GH-21605 (Missing addref for Countable::count()). Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). Fixed bug GH-21603 (Missing addref for __unset). Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). CLI: Fixed bug GH-21754 (`--rf` command line option with a method triggers ext/reflection deprecation warnings). Curl: Add support for brotli and zstd on Windows. DOM: Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). Upgrade to lexbor v2.7.0. FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) Iconv: Fixed bug GH-17399 (iconv memory leak on bailout). MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) Opcache: Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). Fixed bug GH-21460 (COND optimization regression). Fixed faulty returns out of zend_try block in zend_jit_trace(). OpenSSL: Fix a bunch of memory leaks and crashes on edge cases. PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) Phar: Restore is_link handler in phar_intercept_functions_shutdown. Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). Fix memory leak in Phar::offsetGet(). Fix memory leak in phar_add_file(). Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). Fix memory leak in phar_verify_signature() when md_ctx is invalid. Random: Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). Session: Fixed memory leak when session GC callback return a refcounted value. SOAP: Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) SPL: Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). Fix concurrent iteration and deletion issues in SplObjectStorage. Standard: Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) Streams: Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). XSL: Fixed bug GH-21600 (Segfault on module shutdown). Zip: Fixed bug GH-21698 (memory leak with ZipArchive::addGlob() early return statements). _____________________________________________________________________ Version 8.5.6 07 May 2026 Core: Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). Fixed bug GH-21605 (Missing addref for Countable::count()). Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). Fixed bug GH-21603 (Missing addref for __unset). Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). CLI: Fixed bug GH-21754 (`--rf` command line option with a method triggers ext/reflection deprecation warnings). Curl: Add support for brotli and zstd on Windows. DOM: Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) Iconv: Fixed bug GH-17399 (iconv memory leak on bailout). Lexbor: Upgrade to lexbor v2.7.0. MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) Opcache: Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). Fixed bug GH-21460 (COND optimization regression). Fixed faulty returns out of zend_try block in zend_jit_trace(). OpenSSL: Fix memory leak regression in openssl_pbkdf2(). Fix a bunch of memory leaks and crashes on edge cases. PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) PDO_PGSQL: Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set). Phar: Restore is_link handler in phar_intercept_functions_shutdown. Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). Fix memory leak in Phar::offsetGet(). Fix memory leak in phar_add_file(). Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). Fix memory leak in phar_verify_signature() when md_ctx is invalid. Random: Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). Session: Fixed memory leak when session GC callback return a refcounted value. SOAP: Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) SPL: Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). Fix concurrent iteration and deletion issues in SplObjectStorage. Sqlite3: Fixed wrong free list comparator pointer type. Standard: Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) Streams: Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). URI: Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in text range comparison). (CVE-2026-42371) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================