1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
From 2000ef9d03eec8264287a4bcbd642496fe982f2d Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 2/5] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
NULL check
Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262
(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
(cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33)
(cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115)
(cherry picked from commit c21561700dcfc3304322845c2d3da028c3c73345)
(cherry picked from commit 16c2b25d363d73d72a3139e747cc9d5c8d5bef2b)
(cherry picked from commit b1bc3b191eb9ff6ca90f90572ba8fac016163fe9)
---
ext/soap/php_encoding.c | 2 +-
ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 0f85ddde1b..40e87f238e 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2850,7 +2850,7 @@ static zval *to_zval_map(encodeTypePtr type, xmlNodePtr data TSRMLS_DC)
}
xmlValue = get_node(item->children, "value");
- if (!xmlKey) {
+ if (!xmlValue) {
soap_error0(E_ERROR, "Encoding: Can't decode apache map, missing value");
}
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 0000000000..e46ab2e460
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+ xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:apache="http://xml.apache.org/xml-soap">
+
+ <soap:Body>
+ <test>
+ <map xsi:type="apache:Map">
+ <item><key>hello</key></item>
+ </map>
+ </test>
+ </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+ 'uri' => 'urn:test',
+ 'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0
From 873ac18f30679150c499b240062cf8895df7c664 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 7 May 2026 09:01:35 +0200
Subject: [PATCH 4/5] NEWS from 8.2.31
(cherry picked from commit 7dff10e9a31d469fcd436e10b06f8b2bf2758a68)
(cherry picked from commit 1cbf0c27044bd54fb77de8a6bf993a7ab53892a4)
(cherry picked from commit 6b9f5d1673522bb3cf5d77889919084024565c7f)
(cherry picked from commit 5be222339cd6d299aa9170e6fa9edd51a5c42f39)
(cherry picked from commit 8884e113e8351693eb4b5f1c58485ad0e4508d3a)
(cherry picked from commit 5cf6ff5fcde53a1a941fea374b483e9ff89a9f9f)
---
NEWS | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NEWS b/NEWS
index 24fa47ec2b..b46e2b0c5d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,14 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 8.2.31
+
+- SOAP:
+ . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
+ SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
+ . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
+ (CVE-2026-7262) (ilutov)
+
Backported from 8.1.31
- CLI:
--
2.54.0
|
