Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Critical php8 RCE Vulnerabilities in openSUSE Leap 16.0 Affecting Security

opensuse
Calendar Grey May 19, 2026
Dist Opensuse Esm H88
Critical openSUSE patch for php8 resolves 10 vulnerabilities affecting system integrity and security.
An update that solves 10 vulnerabilities and has 10 bug fixes can now be installed.

Description

This update for php8 fixes the following issues

- CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL

injection (bsc#1264778).

- CVE-2026-6104: out-of-bounds read when processing an encoding name containing an embedded NULL byte in

`mb_convert_encoding()` can lead to information disclosure and denial of service (bsc#1264777).

- CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution (bsc#1264776).

- CVE-2026-6735: improper validation of the request URI within the PHP-FPM status page can lead to XSS (bsc#1264775).

- CVE-2026-7258: signed `char` values passed to `ctype` functions like `isxdigit` can lead to OOB access and denial of

service (bsc#1264774).

- CVE-2026-7259: NULL pointer dereference in `php_mb_check_encoding()` via `mb_ereg_search_init()` can lead to a denial

of service (bsc#1264773).

- CVE-2026-7261: use-after-free due to incorrectly handled persistence of handler...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

apache2-mod_php8-8.4.21-160000.1.1

php8-8.4.21-160000.1.1

php8-bcmath-8.4.21-160000.1.1

php8-bz2-8.4.21-160000.1.1

php8-calendar-8.4.21-160000.1.1

php8-cli-8.4.21-160000.1.1

php8-ctype-8.4.21-160000.1.1

php8-curl-8.4.21-160000.1.1

php8-dba-8.4.21-160000.1.1

php8-devel-8.4.21-160000.1.1

php8-dom-8.4.21-160000.1.1

php8-embed-8.4.21-160000.1.1

php8-enchant-8.4.21-160000.1.1

php8-exif-8.4.21-160000.1.1

php8-fastcgi-8.4.21-160000.1.1

php8-ffi-8.4.21-160000.1.1

php8-fileinfo-8.4.21-160000.1.1

php8-fpm-8.4.21-160000.1.1

php8-fpm-apache-8.4.21-160000.1.1

php8-ftp-8.4.21-160000.1.1

php8-gd-8.4.21-160000.1.1

php8-gettext-8.4.21-160000.1.1

php8-gmp-8.4.21-160000.1.1

php8-iconv-8.4.21-160000.1.1

php8-intl-8.4.21-160000.1.1

php8-ldap-8.4.21-160000.1.1

php8-mbstring-8.4.21-160000.1.1

php8-mysql-8.4.21-160000.1.1

php8-odbc-8.4.21-160000.1.1

php8-opcache-8.4.21-160000.1.1

php8-openssl-8.4.21-160000.1.1

php8-pcntl-8.4.21-160000.1.1

php8-pdo-8.4.21-160000.1.1

php8-pgsql-8.4.21-160000.1.1

php8-phar-8.4.21-160000.1.1

p...

Read the Full Advisory

References

* bsc#1264769

* bsc#1264770

* bsc#1264771

* bsc#1264772

* bsc#1264773

* bsc#1264774

* bsc#1264775

* bsc#1264776

* bsc#1264777

* bsc#1264778

References:

* https://www.suse.com/security/cve/CVE-2025-14179.html

* https://www.suse.com/security/cve/CVE-2026-6104.html

* https://www.suse.com/security/cve/CVE-2026-6722.html

* https://www.suse.com/security/cve/CVE-2026-6735.html

* https://www.suse.com/security/cve/CVE-2026-7258.html

* https://www.suse.com/security/cve/CVE-2026-7259.html

* https://www.suse.com/security/cve/CVE-2026-7261.html

* https://www.suse.com/security/cve/CVE-2026-7262.html

* https://www.suse.com/security/cve/CVE-2026-7263.html

* https://www.suse.com/security/cve/CVE-2026-7568.html

Severity
critical
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:20745-1
Rating: critical
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here