PHP could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- php7.0: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled SOAP object deduplication
when processing apache:Map nodes with duplicate keys. An attacker could
possibly use this to cause a use-after-free, resulting in remote code
execution. (CVE-2026-6722)
It was discovered that PHP incorrectly handled SOAP request persistence when
configured with SOAP_PERSISTENCE_SESSION. An attacker could possibly use this
to cause a use-after-free, resulting in memory corruption, information
disclosure, or a denial of service. (CVE-2026-7261)
It was discovered that the PDO Firebird driver in PHP improperly handled NUL
bytes when quoting SQL query strings. An attacker could possibly use this to
perform SQL injection when attacker-controlled values are embedded in SQL
statements. (CVE-2025-14179)
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
php7.0-interbase 7.0.33-0ubuntu0.16.04.16+esm19
Available with Ubuntu Pro
php7.0-soap 7.0.33-0ubuntu0.16.04.16+esm19
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-8513-1
CVE-2025-14179, CVE-2026-6722, CVE-2026-7261
Get the latest Linux and open source security news straight to your inbox.