Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN501
_____________________________________________________________________

DATE                : 13/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ext-soap (PHP), php-src (PHP),
                        PHP-FPM (PHP) versions prior to 8.2.31,
                                 8.3.31, 8.4.21, 8.5.6,
                  ext-dom (PHP), ext-mbstring (PHP) versions prior
                                   to 8.4.21, 8.5.6.

=====================================================================
https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5
https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733
https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv
https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q
https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4
https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53
https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv
_____________________________________________________________________


Use-After-Free in SOAP using Apache map with Remote Code Execution
High
iluuu1994 published GHSA-85c2-q967-79q5 May 7, 2026

Package
ext-soap (PHP)

Affected versions
< 8.2.31
< 8.3.31
< 8.4.21
< 8.5.6

Patched versions
8.2.31
8.3.31
8.4.21
8.5.6


Description

ext-soap supports deduplicating objects in the XML graph through
id and href. When traversing the XML graph, ext-soap will remember
all plain PHP objects using the hash map SOAP_GLOBAL(ref_map),
where the pointer to the libxml2 node acts as a key, and the PHP
object as a value. This happens in soap_add_xml_ref().

php-src/ext/soap/php_encoding.c

Lines 349 to 354 in dcf6533
 static void soap_add_xml_ref(zval *data, xmlNodePtr node) 
 { 
 	if (SOAP_GLOBAL(ref_map)) { 
 		zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)(uintptr_t)node, data); 
 	} 
 } 

Crucially, the reference count of the PHP object is not increased.
Normally this is not a problem, as all objects in the XML graph
are stored in the resulting object graph and cannot be freed.

soap_check_xml_ref() does the opposite of soap_add_xml_ref(); it
will check whether some libxml2 node as already been evaluated
and stored in SOAP_GLOBAL(ref_map).

php-src/ext/soap/php_encoding.c

Lines 331 to 347 in dcf6533
 static bool soap_check_xml_ref(zval *data, xmlNodePtr node) 
 { 
 	zval *data_ptr; 
  
 	if (SOAP_GLOBAL(ref_map)) { 
 		if ((data_ptr = zend_hash_index_find(SOAP_GLOBAL(ref_map), (zend_ulong)(uintptr_t)node)) != NULL) { 
 			if (!Z_REFCOUNTED_P(data) || 
 			    !Z_REFCOUNTED_P(data_ptr) || 
 			    Z_COUNTED_P(data) != Z_COUNTED_P(data_ptr)) { 
 				zval_ptr_dtor(data); 
 				ZVAL_COPY(data, data_ptr); 
 				return true; 
 			} 
 		} 
 	} 
 	return false; 
 } 

The Apache map offers a mechanism to free objects between these
two points by overwriting existing map entries.

class Handler {
    public function test($map, $stale) {
        global $result;
        $result = $stale;
    }
}

$envelope = <<<'XML'
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema">

    <soapenv:Body>
        <test>
            <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
                <item>
                    <key>somekey</key>
                    <value id="stale"><object>Stale</object></value>
                </item>
                <item>
                    <key>somekey</key>
                    <value></value>
                </item>
            </map>
            <stale href="#stale"/>
        </test>
    </soapenv:Body>
</soapenv:Envelope>
XML;

$s = new SoapServer(null, ['uri' => 'urn:a']);
$s->setClass(Handler::class);
$s->handle($envelope);
var_dump($result);

This example will:

    evaluate the map node
    evaluate the Stale object, which includes calling calling
soap_add_xml_ref() to remember it in SOAP_GLOBAL(ref_map)
    add the resulting object to a temporary map, which will be
the result of the Apache map node
    overwrite the object immediately with NULL for the <item>
with an empty <value>, releasing the Stale object only strongly
referenced by the temporary map, with the reference in
SOAP_GLOBAL(ref_map) becoming stale
    have <stale href="#stale"/> refer to this stale pointer
within SOAP_GLOBAL(ref_map), reusing the freed memory

After this code, $result will refer to the stale memory where
Stale was previously allocated. The attacker has high control
over this memory segment by subsequently allocating plain
strings, leading to Remote Code Execution.

The solution is straight forward, namely increase the reference
count before adding objects to SOAP_GLOBAL(ref_map), and
configure a ZVAL_PTR_DTOR deallocator to release the objects
when the procedure is done.

Severity
High

CVE ID
CVE-2026-6722

Weaknesses
Weakness CWE-416

Credits

    @brettgervasoni brettgervasoni Reporter
    @iluuu1994 iluuu1994 Remediation developer
    @ndossche ndossche Remediation reviewer

_____________________________________________________________________

DoS attack via DOMNode::C14N()
High
iluuu1994 published GHSA-4jhr-8w89-j733 May 7, 2026

Package
ext-dom (PHP)

Affected versions
< 8.4.21
< 8.5.6

Patched versions
8.4.21
8.5.6


Description

Researcher: Nikita Sveshnikov (Positive Technologies)

In DOMNode::C14N(), improper removal of a xmlns libxml2
attribute from a doubly linked list can lead to a corrupt,
circular linked list. The linked list is iterated in many
places in PHP and libxml2, leading to DoS through segfaults,
or temporal and spatial resource starvation.

$doc = Dom\HTMLDocument::createFromString('<svg foo="foo" xmlns="" bar="bar">');
$doc->C14N();
// Segfault on cleanup

// Or

$doc = Dom\HTMLDocument::createFromString('<svg foo="foo" xmlns="" bar="bar">');
$doc->C14N();
$svg = $doc->documentElement->childNodes[1]->childNodes[0];
foreach ($svg->attributes as $prop) {} // This will loop forever

The attribute is removed incorrectly here:

php-src/ext/dom/node.c

Lines 2134 to 2141 in f0f28b7
 if (attr->prev) { 
 	attr->prev = attr->next; 
 } else { 
 	node->properties = attr->next; 
 } 
 if (attr->next) { 
 	attr->next->prev = attr->prev; 
 } 

Notice the attr->prev = attr->next; instead of
attr->prev->next = attr->next;. The attribute is later
(correctly) restored here:

php-src/ext/dom/node.c

Lines 2182 to 2189 in f0f28b7
 if (attr->prev) { 
 	attr->prev->next = attr; 
 } else { 
 	node->properties = attr; 
 } 
 if (attr->next) { 
 	attr->next->prev = attr; 
 } 

After both procedures, the following graph:
Loading

Would result in this graph:
Loading

Continuously following next will result in an infinite
loop.


Severity
High
8.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-7263

Weaknesses
Weakness CWE-404

Credits

    @iluuu1994 iluuu1994 Remediation reviewer

_____________________________________________________________________

NULL pointer dereference in SOAP apache:Map decoder with missing <value>
Moderate
iluuu1994 published GHSA-hmxp-6pc4-f3vv May 7, 2026

Package
ext-soap (PHP)

Affected versions
< 8.2.31
< 8.3.31
< 8.4.21
< 8.5.6

Patched versions
8.2.31
8.3.31
8.4.21
8.5.6

Description

to_zval_map() in ext/soap/php_encoding.c decodes apache:Map nodes.
The <key> branch correctly guards against missing keys, but the
<value> branch rechecks xmlKey instead of xmlValue:

php-src/ext/soap/php_encoding.c

Lines 2780 to 2788 in 0d9ff00
 xmlKey = get_node(item->children, "key"); 
 if (!xmlKey) { 
 	soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing key"); 
 } 
  
 xmlValue = get_node(item->children, "value"); 
 if (!xmlKey) { 
 	soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value"); 
 } 

In addition, master_to_zval_int() accesses data->properties without
a NULL check, where data corresponds to the missing <value> node.
This branch is reachable when SOAP_GLOBAL(typemap) is set, i.e. when
the SOAP server has a typemap configured. By embedding an apache:Map
node with a missing <value> node into the request, the process will
segfault with a NULL pointer dereference violation. Under the described
circumstances, DoS becomes trivial with the following example:

$request = <<<XML
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:apache="http://xml.apache.org/xml-soap">
  <soap:Body>
    <test>
      <map xsi:type="apache:Map">
        <item><key>foo</key></item>
      </map>
    </test>
  </soap:Body>
</soap:Envelope>
XML;

$server = new SoapServer(null, [
    'uri' => 'urn:test',
    'typemap' => [['type_name' => 'anything']],
]);
$server->addFunction('test');
function test($m) {}
$server->handle($request);

Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-7262

Weaknesses
No CWEs

Credits

    @iliaal iliaal Reporter
    @iluuu1994 iluuu1994 Remediation developer

_____________________________________________________________________


SoapServer session-persisted object use-after-free via SOAP header
fault

Moderate
iluuu1994 published GHSA-m33r-qmcv-p97q May 7, 2026

Package
ext-soap (PHP)

Affected versions
< 8.2.31
< 8.3.31
< 8.4.21
< 8.5.6

Patched versions
8.2.31
8.3.31
8.4.21
8.5.6

Description

SOAP_PERSISTENCE_SESSION allows to persist the SOAP handler object
between requests using the session storage. Normally the object is
immediately released after SoapServer::handle(), unless this setting
is specified. This differentiation happens with the
service->soap_class.persistence != SOAP_PERSISTENCE_SESSION check.
soap.c fails to account for this flag in two places:

php-src/ext/soap/soap.c

Line 1595 in 0d9ff00
 if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} 

php-src/ext/soap/soap.c

Line 1600 in 0d9ff00
 if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} 

Both of them are failure cases when a handler function for a header node
either returned false or threw an exception. When the session is written,
the freed object will be read and written to the session storage,
resulting in a use-after-free. Normally, a SOAP server will only handle
one SOAP request per PHP request, so it's unlikely that the attacker
will be able to control the freed memory segment, though it is not
impossible.


The following example demonstrates the use-after-free.

class SoapSrv {
    public function return()  {
        return new SoapFault('Server', 'denied');
    }
    public function hello() {
        return 'ok';
    }
}

session_start();

$srv = new SoapServer(null, ['uri' => 'urn:a']);
$srv->setClass('SoapSrv');
$srv->setPersistence(SOAP_PERSISTENCE_SESSION);

$srv->handle(<<<XML
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
  <soap:Header>
    <a:return/>
  </soap:Header>
  <soap:Body>
    <a:hello/>
  </soap:Body>
</soap:Envelope>
XML);

Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity Low
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-7261

Weaknesses
No CWEs

Credits

    @iliaal iliaal Reporter
    @iluuu1994 iluuu1994 Remediation developer

_____________________________________________________________________

Out-of-bounds read in urldecode()
Moderate
iluuu1994 published GHSA-m8rr-4c36-8gq4 May 7, 2026

Package
php-src (PHP)

Affected versions
< 8.2.31
< 8.3.31
< 8.4.21
< 8.5.6

Patched versions
8.2.31
8.3.31
8.4.21
8.5.6

Description

Consider the following snippet within php_url_decode_ex() at
ext/standard/url.c, called from PHPs urldecode() function:

php-src/ext/standard/url.c

Lines 592 to 593 in dcf6533
 else if (*data == '%' && src_len >= 2 && isxdigit((int) *(data + 1)) 
 		 && isxdigit((int) *(data + 2))) { 

According to the C11 specification, isxdigit()'s (and all other
ctype.h functions') only argument is of type int, and any value
passed to it must be representable by unsigned char, i.e. 0-255.

§7.4:

    The header <ctype.h> declares several functions useful for
classifying and mapping characters. In all cases the argument is
an int, the value of which shall be representable as an
unsigned char or shall equal the value of the macro EOF. If the
argument has any other value, the behavior is undefined.

On platforms where plain char is signed (which is most), passing a
char with a value <0 to int (or casting to int explicitly as in
this case) will lead to signed integer extension, leading to a
negative int value. Instead, the char value should be cast to
unsigned char, so that no sign extension occurs.

Most platforms account for this common mistake. However, on NetBSD
passing negative values to isxdigit() lead to an out-of-bounds
read, leading to a segfault.

urldecode("%\x80");

Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-7258

Weaknesses
Weakness CWE-125

Credits

    @xfourj xfourj Reporter
    @iluuu1994 iluuu1994 Remediation developer

_____________________________________________________________________


Global buffer over-read in mb_convert_encoding() with
attacker-supplied encoding
Moderate
iluuu1994 published GHSA-74r9-qxhc-fx53 May 7, 2026

Package
ext-mbstring (PHP)

Affected versions
< 8.4.21
< 8.5.6

Patched versions
8.4.21
8.5.6


Description

Summary

A global buffer over-read exists in mbfl_name2encoding_ex()
(ext/mbstring/libmbfl/mbfl/mbfl_encoding.c, line 352),
called from mb_convert_encoding(...) and other mbstring functions,
when parsing encoding names with embedded NUL bytes.


Root Cause

In mbfl_name2encoding_ex, the MIME name search loop (line 352)
uses:

if (strncasecmp((*encoding)->mime_name, name, name_len) == 0 && (*encoding)->mime_name[name_len] == '\0') {

When name contains an embedded NUL byte (e.g., "UTF-8\x00AAAA..."),
strncasecmp returns 0 after matching up to the NUL (since both
strings have NUL at the same position). The subsequent check
(*encoding)->mime_name[name_len] then reads at offset
name_len (e.g., 22) from mime_name, which is only
6 bytes long ("UTF-8\0"). This reads 16+ bytes past the end of
the global string into adjacent global memory.

The same issue exists on lines 362 for encoding aliases.
Minimal Reproducer

<?php
$encoding = "UTF-8\x00AAAAAAAAAAAAAAAA";
mb_convert_encoding('foo', $encoding, $encoding)

Running with ASan-instrumented PHP 8.4.20:

==552769==ERROR: AddressSanitizer: global-buffer-overflow
on address 0x...
READ of size 1
    #0 in mbfl_name2encoding_ex mbfl_encoding.c:352
    #1 in php_mb_parse_encoding_list mbstring.c:350
    #2 in zif_mb_convert_encoding mbstring.c:2865

Attack Surface

    Triggerable when a attacker-controlled encoding is passed
to mb_convert_encoding() without sanitization
    Also affected are mb_detect_encoding(), mb_convert_variables(),
mb_detect_order(), as well as the mbstring.detect_order and
mbstring.http_output INI settings.
    Out-of-bounds read of global memory (CWE-125)
    Information disclosure of adjacent global data; not directly
exploitable for code execution

Environment

    PHP 8.4.0+, -fsanitize=address,undefined

Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-6104

Weaknesses
Weakness CWE-125

Credits

    @AkshayJainG AkshayJainG Reporter
    @iluuu1994 iluuu1994 Remediation developer

_____________________________________________________________________

XSS within PHP-FPM status endpoint
Moderate
iluuu1994 published GHSA-7qg2-v9fj-4mwv May 7, 2026

Package
PHP-FPM (PHP)

Affected versions
< 8.2.31
< 8.3.31
< 8.4.21
< 8.5.6

Patched versions
8.2.31
8.3.31
8.4.21
8.5.6

Description

Improper sanitization of the request URI within the PHP-FPM status
page allows an attacker to execute arbitrary JavaScript code (XSS)
on the victims machine, possibly stealing cookies on insufficiently
hardened systems, or stealing other sensitive data such as the
information from the status page itself. An attacker does not require
authentication or access to the /status endpoint in order to trigger
XSS, but may simply visit a URI embedding the malicious code.

    Navigate to example.com/<script>alert()</script>
    Navigate to example.com/status?full&html
    Observe the JavaScript pop-up.

The same is possible for the XML endpoint, possibly embedding
malicious XML nodes into the status report.

    Navigate to example.com/<
    Navigate to example.com/status?full&xml
    Observe the XML parsing error.

Severity
Moderate

CVE ID
CVE-2026-6735

Weaknesses
Weakness CWE-79

Credits

    @llrolly llrolly Reporter
    @bukka bukka Remediation developer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================