Packages
Details
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PHP incorrectly sanitized certain data in the
PHP-FPM status page. A remote attacker could possibly use...
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PHP incorrectly sanitized certain data in the
PHP-FPM status page. A remote attacker could possibly use this issue to
inject arbitrary JavaScript code. (CVE-2026-6735)
It was discovered that PHP had an encoding mismatch in mbstring. An
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service. (CVE-2026-7259)
It was discovered that PHP incorrectly handled SOAP session persistence
after errors. A remote attacker could possibly use this issue to obtain
sensitive information or cause PHP to crash, resulting in a denial of
service. (CVE-2026-7261)
It was discovered that PHP incorrectly handled missing values in SOAP
typemap decoding. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2026-7262)
It was discovered that PHP incorrectly handled XML canonicalization in
DOMNode::C14N(). An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-7263)
It was discovered that PHP incorrectly handled very long input in
metaphone(). An attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2026-7568)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 26.04 LTS resolute | php8.5 – 8.5.4-0ubuntu1.1 | ||
| 25.10 questing | php8.4 – 8.4.11-1ubuntu1.2 | ||
| 24.04 LTS noble | php8.3 – 8.3.6-0ubuntu0.24.04.9 | ||
| 22.04 LTS jammy | php8.1 – 8.1.2-1ubuntu2.24 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.