ALAS2023-2026-1726

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1726
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-6104 CVE-2026-6722 CVE-2026-6735 CVE-2026-7258 CVE-2026-7259 CVE-2026-7261 CVE-2026-7262 CVE-2026-7263 CVE-2026-7568
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding (CVE-2026-6104)

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. (CVE-2026-6722)

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page. (CVE-2026-6735)

Out-of-bounds read in urldecode() (CVE-2026-7258)

Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() (CVE-2026-7259)

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system. (CVE-2026-7261)

NULL pointer dereference in SOAP apache:Map decoder with missing <value> (CVE-2026-7262)

DoS attack via DOMNode::C14N(). In DOMNode::C14N(), improper removal of a xmlns libxml2 attribute from a doubly linked list can lead to a corrupt, circular linked list. The linked list is iterated in many places in PHP and libxml2, leading to DoS through segfaults, or temporal and spatial resource starvation. (CVE-2026-7263)

Signed integer overflow in metaphone() (CVE-2026-7568)

Affected Packages:

php8.4

Issue Correction:
Run dnf update php8.4 --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1726 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    php8.4-pdo-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-bcmath-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-ffi-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-pdo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-modphp-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-dbg-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-ldap-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-common-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-mbstring-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-cli-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-gmp-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-ldap-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-common-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-dba-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-intl-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-debugsource-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-odbc-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-embedded-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-devel-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-dbg-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-pgsql-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-zip-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-gd-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-cli-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-soap-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-intl-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-enchant-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-xml-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-xml-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-odbc-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-mbstring-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-embedded-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-sodium-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-sodium-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-soap-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-bcmath-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-snmp-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-gmp-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-ffi-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-zip-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-enchant-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-process-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-fpm-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-process-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-opcache-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-tidy-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-snmp-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-mysqlnd-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-mysqlnd-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-tidy-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-opcache-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-gd-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-pgsql-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-modphp-debuginfo-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-fpm-8.4.21-1.amzn2023.0.1.aarch64
    php8.4-dba-8.4.21-1.amzn2023.0.1.aarch64

src:
    php8.4-8.4.21-1.amzn2023.0.1.src

x86_64:
    php8.4-ffi-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-zip-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-intl-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-dba-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-pgsql-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-common-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-pdo-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-sodium-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-debugsource-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-odbc-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-mbstring-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-pdo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-ffi-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-sodium-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-gmp-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-enchant-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-zip-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-bcmath-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-odbc-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-gmp-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-tidy-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-gd-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-ldap-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-mbstring-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-process-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-intl-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-dba-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-pgsql-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-mysqlnd-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-snmp-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-modphp-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-xml-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-process-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-cli-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-opcache-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-snmp-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-gd-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-common-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-cli-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-dbg-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-bcmath-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-soap-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-xml-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-opcache-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-fpm-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-fpm-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-ldap-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-embedded-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-modphp-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-embedded-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-soap-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-tidy-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-dbg-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-enchant-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-mysqlnd-debuginfo-8.4.21-1.amzn2023.0.1.x86_64
    php8.4-devel-8.4.21-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-6104, CVE-2026-6722, CVE-2026-6735, CVE-2026-7258, CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263, CVE-2026-7568

Mitre: CVE-2026-6104, CVE-2026-6722, CVE-2026-6735, CVE-2026-7258, CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263, CVE-2026-7568