Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 11 php7.4 Important Remote Code Exec Denial of Service DLA-4586-1

debian lts
Calendar Grey May 16, 2026
Dist Debian Esm H88
Multiple security issues addressed in PHP7.4 could lead to remote code execution, information exposure, and DoS in Debian.
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in remote code execution, information disclosure, denia...

Summary

CVE-2026-6722

A use-after-free issue was discovered in the SOAP extension which
may lead to remote code execution when an apache:Map node contains
duplicate key.

CVE-2026-6735

Conrad Draper discovered that the request URI within the PHP-FPM
status page was improperly sanitized, thereby allowing cross-site
scripting (XSS).

CVE-2026-7258

An out-of-bounds read issue was discovered in `urldecode()`, which
may lead to denial of service on some platforms.

CVE-2026-7261

Ilia Alshanetsky discovered a use-after-free issue after header
parsing failure when SoapServer is configured with
SOAP_PERSISTENCE_SESSION, which may lead to denial of service.

CVE-2026-7262

Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP
apache:Map decoder with missing `` element, thereby leading
to denial of service.

CVE-2026-7568

Aleksey Solovev discovered a signed integer overflow in the
`metaphone()` function from the PHP standard library.

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Package: php7.4
Version: 7.4.33-1+deb11u11
CVE ID: CVE-2026-6722 CVE-2026-6735 CVE-2026-7258 CVE-2026-7261
Debian Bug: 1136054

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here