Ubuntu published security notice USN-8513-1 on July 6, 2026, patching three PHP vulnerabilities in the php7.0 package on Ubuntu 16.04 LTS. These are not new PHP vulnerabilities – the same CVEs were patched for PHP 8.1 through 8.5 on Ubuntu 22.04 and later releases in USN-8336-1 back in May 2026. USN-8513-1 is the backport of those fixes for systems still on Ubuntu 16.04 and PHP 7.0.
Two of the three flaws can result in remote code execution. If your systems are running PHP on any affected Ubuntu release and have not yet been updated, this should be prioritized.
Affected Ubuntu Releases
| Ubuntu Release | PHP Version | Fixed Version | Fix Available Via |
|---|---|---|---|
| 26.04 LTS (Resolute Raccoon) | php8.5 | 8.5.4-0ubuntu1.1 | Standard update |
| 24.04 LTS (Noble Numbat) | php8.3 | 8.3.6-0ubuntu0.24.04.9 | Standard update |
| 22.04 LTS (Jammy Jellyfish) | php8.1 | 8.1.2-1ubuntu2.24 | Standard update |
| 16.04 LTS (Xenial Xerus) | php7.0 | 7.0.33-0ubuntu0.16.04.16+esm19 | Ubuntu Pro required |
If you are on Ubuntu 22.04, 24.04, or 26.04 and have not applied updates since May 2026, your system may still be exposed. You can simply upgrade to the latest available PHP versions to fix the issues.
Ubuntu 16.04 ESM ended in April 2026
Ubuntu 16.04 reached its end of life in April 2021 and its Expanded Security Maintenance (ESM) also ended in April 2026. This means you will need an active Ubuntu Pro subscription and a premium legacy add-on to continue receiving security patches in Ubuntu 16.04.
3 PHP Vulnerabilities Fixed in Ubuntu
Three PHP vulnerabilities were patched across both notices:
| CVE | Component | Impact |
|---|---|---|
| CVE-2026-6722 | SOAP (apache:Map deduplication) | Remote code execution via use-after-free |
| CVE-2026-7261 | SOAP (SOAP_PERSISTENCE_SESSION) | Memory corruption, information disclosure, or DoS via use-after-free |
| CVE-2025-14179 | PDO Firebird driver | SQL injection via NUL byte mishandling in query strings |
CVE-2026-6722 (CVSS v3.0 Score: 7.3 High)
PHP incorrectly handled SOAP object deduplication when processing apache:Map nodes with duplicate keys. An attacker could exploit this use-after-free condition to execute arbitrary code remotely. This is the most severe of the three php vulnerabilities in this batch and affects all Ubuntu releases listed above.
CVE-2026-7261 (CVSS v3.0 Score: 9.8 Critical)
When PHP is configured with SOAP_PERSISTENCE_SESSION, it mishandled request persistence after errors in a way that could lead to use-after-free. Consequences range from memory corruption and information disclosure to denial of service.
CVE-2025-14179 (CVSS v3.0 Score: 8.1 High)
The PDO Firebird driver improperly handled NUL bytes when quoting SQL query strings. If attacker-controlled values are embedded in SQL statements, this could allow SQL injection. The 2025 CVE ID is not a typo – this is an older flaw that was backported to the php7.0 ESM package alongside the newer fixes.
How to Check Your PHP Version
Before updating, confirm which PHP version your system is running:
php --version
Then check the installed package version:
apt-cache policy php8.1 php8.3 php8.5 # Ubuntu 22.04–26.04
apt-cache policy php7.0-soap # Ubuntu 16.04
How to Fix
Ubuntu 22.04, 24.04, 26.04 standard update:
sudo apt update && sudo apt upgrade
Ubuntu 16.04 requires Legacy add-on after April 2026:
If your system is enrolled in Ubuntu Pro, the same command applies:
sudo apt update && sudo apt upgrade
The fixed package versions are:
| Ubuntu Release | Fixed Version |
|---|---|
| 26.04 LTS | php8.5 – see USN-8336-1 |
| 24.04 LTS | php8.3 – see USN-8336-1 |
| 22.04 LTS | php8.1 – see USN-8336-1 |
| 16.04 LTS | php7.0-soap, php7.0-interbase – 7.0.33-0ubuntu0.16.04.16+esm19 |
If your Ubuntu 16.04 system is not enrolled in Ubuntu Pro, this patch is not available through standard channels.
Still Running Ubuntu 16.04 or PHP 7.0?
Ubuntu 16.04 exited standard support in April 2021 and ESM in April 2026. PHP 7.0 reached end of life in December 2019 – it has not received upstream security patches for over six years. These PHP vulnerabilities are a reminder that running end-of-life software means depending on extended support and CVE backports rather than actively maintained upstream versions.
The recommended migration path is Ubuntu 24.04 LTS with PHP 8.3, which receives security patches through standard channels until at least 2029.