SB20260513120 - Debian update for php8.2

Description

This security bulletin contains information about 8 vulnerabilities.

1) SQL injection (CVE-ID: CVE-2025-14179)

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in PDO_Firebird quoted string handling when processing NUL bytes in quoted strings. A remote attacker can supply crafted input containing NUL bytes to execute arbitrary SQL commands.

2) Use-after-free (CVE-ID: CVE-2026-6722)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a stale pointer in SOAP_GLOBAL(ref_map) when processing SOAP requests with Apache Map. A remote attacker can send a specially crafted SOAP request to cause a denial of service.

Exploitation requires the Apache Map environment.

3) Cross-site scripting (CVE-ID: CVE-2026-6735)

The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in the FPM status endpoint when handling requests. A remote attacker can send a specially crafted request to execute arbitrary script code in a user's browser.

4) Type conversion (CVE-ID: CVE-2026-7258)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper type handling in ctype.h function calls when processing non-unsigned char values. A remote attacker can supply crafted input to cause a denial of service.

5) NULL pointer dereference (CVE-ID: CVE-2026-7259)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in php_mb_check_encoding() when mb_ereg_search_init() processes crafted input. A remote attacker can supply crafted input to cause a denial of service.

6) Use-after-free (CVE-ID: CVE-2026-7261)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in SOAP header parsing when a header parsing failure occurs with SOAP_PERSISTENCE_SESSION. A remote attacker can send a specially crafted SOAP request to cause a denial of service.

Exploitation requires SOAP_PERSISTENCE_SESSION.

7) NULL pointer dereference (CVE-ID: CVE-2026-7262)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper null pointer handling in Apache map value processing when handling SOAP requests. A remote attacker can send a specially crafted SOAP request to cause a denial of service.

Exploitation requires the Apache Map environment.

8) Integer overflow (CVE-ID: CVE-2026-7568)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an integer overflow in char array offset handling when processing crafted input. A remote attacker can supply crafted input to cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://lists.debian.org/debian-security-announce/2026/msg00166.html