Ubuntu Addresses Multiple PHP Vulnerabilities (USN-8513-1)

PHP

PHP

Track EOL dates for all PHP versions.

View all versions →
Key Takeaways
  • Ubuntu patched 3 PHP vulnerabilities under USN-8513-1 on July 6, 2026
  • Two use-after-free flaws (CVE-2026-6722, CVE-2026-7261) can result in remote code execution or memory corruption
  • One SQL injection flaw (CVE-2025-14179) via PDO Firebird NUL byte mishandling

Ubuntu published security notice USN-8513-1 on July 6, 2026, patching three PHP vulnerabilities in the php7.0 package on Ubuntu 16.04 LTS. These are not new PHP vulnerabilities – the same CVEs were patched for PHP 8.1 through 8.5 on Ubuntu 22.04 and later releases in USN-8336-1 back in May 2026. USN-8513-1 is the backport of those fixes for systems still on Ubuntu 16.04 and PHP 7.0.

Two of the three flaws can result in remote code execution. If your systems are running PHP on any affected Ubuntu release and have not yet been updated, this should be prioritized.

Affected Ubuntu Releases

Ubuntu Release PHP Version Fixed Version Fix Available Via
26.04 LTS (Resolute Raccoon) php8.5 8.5.4-0ubuntu1.1 Standard update
24.04 LTS (Noble Numbat) php8.3 8.3.6-0ubuntu0.24.04.9 Standard update
22.04 LTS (Jammy Jellyfish) php8.1 8.1.2-1ubuntu2.24 Standard update
16.04 LTS (Xenial Xerus) php7.0 7.0.33-0ubuntu0.16.04.16+esm19 Ubuntu Pro required

If you are on Ubuntu 22.04, 24.04, or 26.04 and have not applied updates since May 2026, your system may still be exposed. You can simply upgrade to the latest available PHP versions to fix the issues.

Ubuntu 16.04 ESM ended in April 2026

Ubuntu 16.04 reached its end of life in April 2021 and its Expanded Security Maintenance (ESM) also ended in April 2026. This means you will need an active Ubuntu Pro subscription and a premium legacy add-on to continue receiving security patches in Ubuntu 16.04.

3 PHP Vulnerabilities Fixed in Ubuntu

Three PHP vulnerabilities were patched across both notices:

CVE Component Impact
CVE-2026-6722 SOAP (apache:Map deduplication) Remote code execution via use-after-free
CVE-2026-7261 SOAP (SOAP_PERSISTENCE_SESSION) Memory corruption, information disclosure, or DoS via use-after-free
CVE-2025-14179 PDO Firebird driver SQL injection via NUL byte mishandling in query strings

CVE-2026-6722 (CVSS v3.0 Score: 7.3 High)

PHP incorrectly handled SOAP object deduplication when processing apache:Map nodes with duplicate keys. An attacker could exploit this use-after-free condition to execute arbitrary code remotely. This is the most severe of the three php vulnerabilities in this batch and affects all Ubuntu releases listed above.

CVE-2026-7261 (CVSS v3.0 Score: 9.8 Critical)

When PHP is configured with SOAP_PERSISTENCE_SESSION, it mishandled request persistence after errors in a way that could lead to use-after-free. Consequences range from memory corruption and information disclosure to denial of service.

CVE-2025-14179 (CVSS v3.0 Score: 8.1 High)

The PDO Firebird driver improperly handled NUL bytes when quoting SQL query strings. If attacker-controlled values are embedded in SQL statements, this could allow SQL injection. The 2025 CVE ID is not a typo – this is an older flaw that was backported to the php7.0 ESM package alongside the newer fixes.

How to Check Your PHP Version

Before updating, confirm which PHP version your system is running:

php --version

Then check the installed package version:

apt-cache policy php8.1 php8.3 php8.5   # Ubuntu 22.04–26.04
apt-cache policy php7.0-soap             # Ubuntu 16.04

How to Fix

Ubuntu 22.04, 24.04, 26.04 standard update:

sudo apt update && sudo apt upgrade

Ubuntu 16.04 requires Legacy add-on after April 2026:

If your system is enrolled in Ubuntu Pro, the same command applies:

sudo apt update && sudo apt upgrade

The fixed package versions are:

Ubuntu Release Fixed Version
26.04 LTS php8.5 – see USN-8336-1
24.04 LTS php8.3 – see USN-8336-1
22.04 LTS php8.1 – see USN-8336-1
16.04 LTS php7.0-soap, php7.0-interbase – 7.0.33-0ubuntu0.16.04.16+esm19

If your Ubuntu 16.04 system is not enrolled in Ubuntu Pro, this patch is not available through standard channels.

Still Running Ubuntu 16.04 or PHP 7.0?

Ubuntu 16.04 exited standard support in April 2021 and ESM in April 2026. PHP 7.0 reached end of life in December 2019 – it has not received upstream security patches for over six years. These PHP vulnerabilities are a reminder that running end-of-life software means depending on extended support and CVE backports rather than actively maintained upstream versions.

The recommended migration path is Ubuntu 24.04 LTS with PHP 8.3, which receives security patches through standard channels until at least 2029.

References

Tagged: Security Notices cve esm php php7 php8 security ubuntu vulnerabilities