SUSE-SU-2026:21612-1

Description of the patch:

This update for php8 fixes the following issues

• CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL injection (bsc#1264778).
• CVE-2026-6104: out-of-bounds read when processing an encoding name containing an embedded NULL byte in mb_convert_encoding() can lead to information disclosure and denial of service (bsc#1264777).
• CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution (bsc#1264776).
• CVE-2026-6735: improper validation of the request URI within the PHP-FPM status page can lead to XSS (bsc#1264775).
• CVE-2026-7258: signed char values passed to ctype functions like isxdigit can lead to OOB access and denial of service (bsc#1264774).
• CVE-2026-7259: NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() can lead to a denial of service (bsc#1264773).
• CVE-2026-7261: use-after-free due to incorrectly handled persistence of handler objects when SOAP_PERSISTENCE_SESSION is configured can lead to memory corruption, information disclosure and process crashes (bsc#1264772).
• CVE-2026-7262: NULL pointer dereference caused by mistake in the SOAP decoding process when a typemap is configured can lead to a denial of service (bsc#1264771).
• CVE-2026-7263: incorrect processing of XML data in the DOMNode: C14N() method can lead to an infinite loop and a denial of service (bsc#1264770).
• CVE-2026-7568: integer overflow in the metaphone function can lead to undefined behavior and affect the availability of the PHPprocess (bsc#1264769).

Other updates:

• Updated to 8.4.21.