This update for php8 fixes the following issues
* CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver
when preparing SQL queries can lead to SQL injection (bsc#1264778).
* CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote
code execution (bsc#1264776).
* CVE-2026-6735: improper validation of the request URI within the PHP-FPM
status page can lead to XSS (bsc#1264775).
* CVE-2026-7258: signed `char` values passed to `ctype` functions like
`isxdigit` can lead to OOB access and denial of service (bsc#1264774).
* CVE-2026-7259: NULL pointer dereference in `php_mb_check_encoding()` via
`mb_ereg_search_init()` can lead to a denial of service (bsc#1264773).
* CVE-2026-7261: use-after-free due to incorrectly handled persistence of
handler objects when SOAP_PERSISTENCE_SESSION is configured can lead to
memory corruption, information disclosure and process crashes (bsc#1264772).
* CVE-2026-7262: NULL...
Read the Full Advisory## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2037=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2037=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2037=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2037=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2037=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2037=1
* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2037=1
* SUSE Linux Enterprise...
Read the Full Advisory* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* php8-fastcgi-debugsource-8.0.30-150400.4.65.1
* php8-zlib-8.0.30-150400.4.65.1
* php8-phar-debuginfo-8.0.30-150400.4.65.1
* php8-posix-8.0.30-150400.4.65.1
* php8-intl-8.0.30-150400.4.65.1
* php8-xmlreader-8.0.30-150400.4.65.1
* php8-readline-debuginfo-8.0.30-150400.4.65.1
* php8-gd-debuginfo-8.0.30-150400.4.65.1
* php8-calendar-debuginfo-8.0.30-150400.4.65.1
* php8-opcache-debuginfo-8.0.30-150400.4.65.1
* php8-phar-8.0.30-150400.4.65.1
* php8-sodium-debuginfo-8.0.30-150400.4.65.1
* php8-zip-debuginfo-8.0.30-150400.4.65.1
* php8-pgsql-8.0.30-150400.4.65.1
* php8-calendar-8.0.30-150400.4.65.1
* php8-xmlreader-debuginfo-8.0.30-150400.4.65.1
* php8-bz2-debuginfo-8.0.30-150400.4.65.1
* php8-sysvshm-debuginfo-8.0.30-150400.4.65.1
* php8-sysvmsg-debuginfo-8.0.30-150400.4.65.1
* php8-zip-8.0.30-150400.4.65.1
* php8-xsl-8.0.30-150400.4.65.1
* php8-tokenizer-debuginfo-8.0.30-150400.4.65.1
* php8-pcntl-debuginfo-8.0.30-150400.4.65.1
*...
Read the Full Advisory* bsc#1264769
* bsc#1264771
* bsc#1264772
* bsc#1264773
* bsc#1264774
* bsc#1264775
* bsc#1264776
* bsc#1264778
## References:
* https://www.suse.com/security/cve/CVE-2025-14179.html
* https://www.suse.com/security/cve/CVE-2026-6722.html
* https://www.suse.com/security/cve/CVE-2026-6735.html
* https://www.suse.com/security/cve/CVE-2026-7258.html
* https://www.suse.com/security/cve/CVE-2026-7259.html
* https://www.suse.com/security/cve/CVE-2026-7261.html
* https://www.suse.com/security/cve/CVE-2026-7262.html
* https://www.suse.com/security/cve/CVE-2026-7568.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264769
* https://bugzilla.suse.com/show_bug.cgi?id=1264771
* https://bugzilla.suse.com/show_bug.cgi?id=1264772
* https://bugzilla.suse.com/show_bug.cgi?id=1264773
* https://bugzilla.suse.com/show_bug.cgi?id=1264774
* https://bugzilla.suse.com/show_bug.cgi?id=1264775
* https://bugzilla.suse.com/show_bug.cgi?id=1264776
* https://bugzilla.suse.com/show_bug.cgi?id=1264778
Get the latest Linux and open source security news straight to your inbox.