Fix XSS within status endpointHEAD master

CVE-2026-6735 Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261 Fix Broken Apache map value NULL check CVE-2026-7262
author: Remi Collet <remi@remirepo.net> 2026-05-19 11:50:05 +0200
committer: Remi Collet <remi@php.net> 2026-05-19 11:50:05 +0200
commit: 4cd51d2ae8cfc95f3393faeea5fbefd09c769089 (patch)
tree: 9cc3f9df2d4ebbe5048699903b988dbb308ea35e /php-cve-2026-7262.patch
parent: 0dacae09f1712b6d5d0e8e619555892b988a395a (diff)
1 files changed, 121 insertions, 0 deletions
diff --git a/php-cve-2026-7262.patch b/php-cve-2026-7262.patch
new file mode 100644
index 0000000..30cc1df
--- /dev/null
+++ b/php-cve-2026-7262.patch
@@ -0,0 +1,121 @@
+From 2000ef9d03eec8264287a4bcbd642496fe982f2d Mon Sep 17 00:00:00 2001
+From: Ilija Tovilo <ilija.tovilo@me.com>
+Date: Sat, 25 Apr 2026 00:44:37 +0200
+Subject: [PATCH 2/5] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
+ NULL check
+
+Fixes GHSA-hmxp-6pc4-f3vv
+Fixes CVE-2026-7262
+
+(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
+(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
+(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
+(cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33)
+(cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115)
+(cherry picked from commit c21561700dcfc3304322845c2d3da028c3c73345)
+(cherry picked from commit 16c2b25d363d73d72a3139e747cc9d5c8d5bef2b)
+(cherry picked from commit b1bc3b191eb9ff6ca90f90572ba8fac016163fe9)
+---
+ ext/soap/php_encoding.c                 |  2 +-
+ ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+ create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
+
+diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
+index 0f85ddde1b..40e87f238e 100644
+--- a/ext/soap/php_encoding.c
++++ b/ext/soap/php_encoding.c
+@@ -2850,7 +2850,7 @@ static zval *to_zval_map(encodeTypePtr type, xmlNodePtr data TSRMLS_DC)
+ 			}
+ 
+ 			xmlValue = get_node(item->children, "value");
+-			if (!xmlKey) {
++			if (!xmlValue) {
+ 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
+ 			}
+ 
+diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
+new file mode 100644
+index 0000000000..e46ab2e460
+--- /dev/null
++++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
++--CREDITS--
++Ilia Alshanetsky (iliaal)
++--EXTENSIONS--
++soap
++--FILE--
++<?php
++
++$request = <<<XML
++<?xml version="1.0" encoding="UTF-8"?>
++<soap:Envelope
++    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
++    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
++    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
++    xmlns:apache="http://xml.apache.org/xml-soap">
++
++    <soap:Body>
++        <test>
++            <map xsi:type="apache:Map">
++                <item><key>hello</key></item>
++            </map>
++        </test>
++    </soap:Body>
++</soap:Envelope>
++XML;
++
++$server = new SoapServer(null, [
++    'uri' => 'urn:test',
++    'typemap' => [['type_name' => 'anything']],
++]);
++$server->addFunction('test');
++function test($m) { return null; }
++$server->handle($request);
++
++?>
++--EXPECT--
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+-- 
+2.54.0
+
+From 873ac18f30679150c499b240062cf8895df7c664 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 7 May 2026 09:01:35 +0200
+Subject: [PATCH 4/5] NEWS from 8.2.31
+
+(cherry picked from commit 7dff10e9a31d469fcd436e10b06f8b2bf2758a68)
+(cherry picked from commit 1cbf0c27044bd54fb77de8a6bf993a7ab53892a4)
+(cherry picked from commit 6b9f5d1673522bb3cf5d77889919084024565c7f)
+(cherry picked from commit 5be222339cd6d299aa9170e6fa9edd51a5c42f39)
+(cherry picked from commit 8884e113e8351693eb4b5f1c58485ad0e4508d3a)
+(cherry picked from commit 5cf6ff5fcde53a1a941fea374b483e9ff89a9f9f)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 24fa47ec2b..b46e2b0c5d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.2.31
++
++- SOAP:
++  . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
++    SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
++  . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
++    (CVE-2026-7262) (ilutov)
++
+ Backported from 8.1.31
+ 
+ - CLI:
+-- 
+2.54.0
+
author	Remi Collet <remi@remirepo.net>	2026-05-19 11:50:05 +0200
committer	Remi Collet <remi@php.net>	2026-05-19 11:50:05 +0200
commit	4cd51d2ae8cfc95f3393faeea5fbefd09c769089 (patch)
tree	9cc3f9df2d4ebbe5048699903b988dbb308ea35e /php-cve-2026-7262.patch
parent	0dacae09f1712b6d5d0e8e619555892b988a395a (diff)