Home / mailings [USN-8336-1] PHP vulnerabilities
Posted on 28 May 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8336-1
May 28, 2026
php8.1, php8.3, php8.4, php8.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php8.5: HTML-embedded scripting language interpreter
- php8.4: HTML-embedded scripting language interpreter
- php8.3: HTML-embedded scripting language interpreter
- php8.1: HTML-embedded scripting language interpreter
Details:
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PHP incorrectly sanitized certain data in the
PHP-FPM status page. A remote attacker could possibly use this issue to
inject arbitrary JavaScript code. (CVE-2026-6735)
It was discovered that PHP had an encoding mismatch in mbstring. An
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service. (CVE-2026-7259)
It was discovered that PHP incorrectly handled SOAP session persistence
after errors. A remote attacker could possibly use this issue to obtain
sensitive information or cause PHP to crash, resulting in a denial of
service. (CVE-2026-7261)
It was discovered that PHP incorrectly handled missing values in SOAP
typemap decoding. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2026-7262)
It was discovered that PHP incorrectly handled XML canonicalization in
DOMNode::C14N(). An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-7263)
It was discovered that PHP incorrectly handled very long input in
metaphone(). An attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2026-7568)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
php8.5 8.5.4-0ubuntu1.1
Ubuntu 25.10
php8.4 8.4.11-1ubuntu1.2
Ubuntu 24.04 LTS
php8.3 8.3.6-0ubuntu0.24.04.9
Ubuntu 22.04 LTS
php8.1 8.1.2-1ubuntu2.24
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8336-1
CVE-2025-14179, CVE-2026-6104, CVE-2026-6722, CVE-2026-6735,
CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263,
CVE-2026-7568
Package Information:
https://launchpad.net/ubuntu/+source/php8.5/8.5.4-0ubuntu1.1
https://launchpad.net/ubuntu/+source/php8.4/8.4.11-1ubuntu1.2
https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.9
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.24
--===============6437626181735675512==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
