Detections
Analytics

Fedora 42 : php (2026-3a58db70ca)

critical Nessus Plugin ID 314603

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-3a58db70ca advisory.

 **PHP version 8.4.21** (07 May 2026)

 **Core:**

 * Fixed bug [GH-19983](https://github.com/php/php-src/issues/19983) (GC assertion failure with fibers, generators and destructors). (iliaal)
 * Fixed bug [GH-21478](https://github.com/php/php-src/issues/21478) (Forward property operations to real instance for initialized lazy proxies). (iliaal)
 * Fixed bug [GH-21605](https://github.com/php/php-src/issues/21605) (Missing addref for Countable::count()). (ilutov)
 * Fixed bug [GH-21699](https://github.com/php/php-src/issues/21699) (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws).
 (macoaure)
 * Fixed bug [GH-21603](https://github.com/php/php-src/issues/21603) (Missing addref for __unset). (ilutov)
 * Fixed bug [GH-21760](https://github.com/php/php-src/issues/21760) (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

 **CLI:**

 * Fixed bug [GH-21754](https://github.com/php/php-src/issues/21754) (`--rf` command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

 **Curl:**

 * Add support for brotli and zstd on Windows. (Shivam Mathur)

 **DOM:**

 * Fixed [GHSA-4jhr-8w89-j733](https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733) and [GH-21566](https://github.com/php/php-src/issues/21566) (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (**CVE-2026-7263**) (David Carlier)
 * Fixed bug [GH-21688](https://github.com/php/php-src/issues/21688) (segmentation fault on empty HTMLDocument). (David Carlier)
 * Upgrade to lexbor v2.7.0. (**CVE-2026-29078**, **CVE-2026-29079**) (ndossche, ilutov)

 **FPM:**

 * Fixed [GHSA-7qg2-v9fj-4mwv](https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv) (XSS within status endpoint). (**CVE-2026-6735**) (Jakub Zelenka)

 **Iconv:**

 * Fixed bug [GH-17399](https://github.com/php/php-src/issues/17399) (iconv memory leak on bailout).
 (iliaal)

 **MBString:**

 * Fixed [GHSA-wm6j-2649-pv75](https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75) (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (**CVE-2026-7259**) (vi3tL0u1s)
 * Fixed [GHSA-74r9-qxhc-fx53](https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53) (Out-of-bounds access in mbfl_name2encoding_ex()). (**CVE-2026-6104**) (ilutov)

 **Opcache:**

 * Fixed bug [GH-21158](https://github.com/php/php-src/issues/21158) (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
 * Fixed bug [GH-21593](https://github.com/php/php-src/issues/21593) (Borked function JIT JMPNZ smart branch). (ilutov)
 * Fixed bug [GH-21460](https://github.com/php/php-src/issues/21460) (COND optimization regression).
 (Dmitry, Arnaud)
 * Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

 **OpenSSL:**

 * Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

 **PDO_Firebird:**

 * Fixed [GHSA-w476-322c-wpvm](https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm) (SQL injection via NUL bytes in quoted strings). (**CVE-2025-14179**) (SakiTakamachi)

 **Phar:**

 * Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
 * Fixed bug [GH-21797](https://github.com/php/php-src/issues/21797) (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
 * Fix memory leak in Phar::offsetGet(). (iliaal)
 * Fix memory leak in phar_add_file(). (iliaal)
 * Fixed bug [GH-21799](https://github.com/php/php-src/issues/21799) (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
 * Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

 **Random:**

 * Fixed bug [GH-21731](https://github.com/php/php-src/issues/21731) (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

 **Session:**

 * Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

 **SOAP:**

 * Fixed [GHSA-85c2-q967-79q5](https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5) (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (**CVE-2026-6722**) (ilutov)
 * Fixed [GHSA-m33r-qmcv-p97q](https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q) (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (**CVE-2026-7261**) (ilutov)
 * Fixed [GHSA-hmxp-6pc4-f3vv](https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv) (Broken Apache map value NULL check). (**CVE-2026-7262**) (ilutov)

 **SPL:**

 * Fixed bug [GH-21499](https://github.com/php/php-src/issues/21499) (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
 * Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

 **Standard:**

 * Fixed [GHSA-96wq-48vp-hh57](https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57) (Signed integer overflow of char array offset). (**CVE-2026-7568**) (TimWolla)
 * Fixed [GHSA-m8rr-4c36-8gq4](https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4) (Consistently pass unsigned char to ctype.h functions). (**CVE-2026-7258**) (ilutov)

 **Streams:**

 * Fixed bug [GH-21468](https://github.com/php/php-src/issues/21468) (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

 **XSL:**

 * Fixed bug [GH-21600](https://github.com/php/php-src/issues/21600) (Segfault on module shutdown). (David Carlier)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected php package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2026-3a58db70ca

Plugin Details

Severity: Critical

ID: 314603

File Name: fedora_2026-3a58db70ca.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 5/14/2026

Updated: 5/15/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-7261

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.5

Threat Score: 9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2026-6722

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php, cpe:/o:fedoraproject:fedora:42

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/6/2026

Vulnerability Publication Date: 3/13/2026

Reference Information

CVE: CVE-2025-14179, CVE-2026-29078, CVE-2026-29079, CVE-2026-6104, CVE-2026-6722, CVE-2026-6735, CVE-2026-7258, CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263, CVE-2026-7568

FEDORA: 2026-3a58db70ca

IAVA: 2026-A-0440