Alpine: multiple php84 packages: security update to 8.4.21-r0

critical Tenable Cloud Security Plugin ID 441481

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6,
when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across
requests via session storage. However, in the case SOAP requests results in an error, the persistance is
handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-
after-free. This may lead to memory corruption, information disclosure, or process crashes, with
confidentiality, integrity, and availability impact on the vulnerable system. (CVE-2026-7261)

- In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded
NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes
that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-
bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected
functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and
mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
(CVE-2026-6104)

- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the
SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without
incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the
second entry overwrites the first in the temporary result map, freeing the original PHP object while its
stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling
pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with
control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
(CVE-2026-6722)

- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to
improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to
execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM
status page. (CVE-2026-6735)

- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6,
some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the
systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can
lead to accessing array with negative offset, which can trigger a denial of service. (CVE-2026-7258)

Solution

Update the php84 library and its related packages to version 8.4.21-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-29078

https://security.alpinelinux.org/vuln/CVE-2026-29079

https://security.alpinelinux.org/vuln/CVE-2026-6104

https://security.alpinelinux.org/vuln/CVE-2026-6722

https://security.alpinelinux.org/vuln/CVE-2026-6735

https://security.alpinelinux.org/vuln/CVE-2026-7258

https://security.alpinelinux.org/vuln/CVE-2026-7259

https://security.alpinelinux.org/vuln/CVE-2026-7261

https://security.alpinelinux.org/vuln/CVE-2026-7262

https://security.alpinelinux.org/vuln/CVE-2026-7263

https://security.alpinelinux.org/vuln/CVE-2026-7568

Plugin Details

Severity: Critical

ID: 441481

Version: Revision 1.6

Type: Local

Published: 5/7/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-7261

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.5

Threat Score: 9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2026-6722

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/13/2026

Reference Information

CVE: CVE-2026-29078, CVE-2026-29079, CVE-2026-6104, CVE-2026-6722, CVE-2026-6735, CVE-2026-7258, CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263, CVE-2026-7568