Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6,
when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across
requests via session storage. However, in the case SOAP requests results in an error, the persistance is
handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-
after-free. This may lead to memory corruption, information disclosure, or process crashes, with
confidentiality, integrity, and availability impact on the vulnerable system. (CVE-2026-7261)
- In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded
NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes
that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-
bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected
functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and
mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
(CVE-2026-6104)
- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the
SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without
incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the
second entry overwrites the first in the temporary result map, freeing the original PHP object while its
stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling
pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with
control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
(CVE-2026-6722)
- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to
improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to
execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM
status page. (CVE-2026-6735)
- In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6,
some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the
systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can
lead to accessing array with negative offset, which can trigger a denial of service. (CVE-2026-7258)
Solution
Update the php84 library and its related packages to version 8.4.21-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 3/13/2026
Reference Information
CVE: CVE-2026-29078, CVE-2026-29079, CVE-2026-6104, CVE-2026-6722, CVE-2026-6735, CVE-2026-7258, CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263, CVE-2026-7568