Fix XSS within status endpointHEADmaster

  CVE-2026-6735
Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
  CVE-2026-6722
Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
  CVE-2026-7261
Fix Broken Apache map value NULL check
  CVE-2026-7262
Fix Signed integer overflow of char array offset
  CVE-2026-7568

1 files changed, 86 insertions, 0 deletions

diff --git a/php-cve-2026-7568.patch b/php-cve-2026-7568.patch
new file mode 100644
index 0000000..7e47785
--- /dev/null
+++ b/php-cve-2026-7568.patch
@@ -0,0 +1,86 @@
+From b7702525bc4a540eb36f392a13461971a1bac31a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
+Date: Sun, 3 May 2026 20:02:57 +0200
+Subject: [PATCH 4/6] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer
+ overflow of char array offset
+
+Fixes GHSA-96wq-48vp-hh57
+Fixes CVE-2026-7568
+
+(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32)
+(cherry picked from commit e4fc187a011d91f26178f6dfbccdb07041b99153)
+(cherry picked from commit 53de456406a6db5a8bcded8a4b242789ae5b2690)
+(cherry picked from commit 909c2acc64d72bd57123b30e711c02aef0c08d14)
+
+[skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt
+
+As requested by the reporter.
+
+(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974)
+(cherry picked from commit 101e93900888ef43d42ec0e33866bca3824f51a8)
+(cherry picked from commit 41134d0746a524d7265b67d3d8d0fd433fd7479a)
+(cherry picked from commit b40b656c0fe8080f9cd097bf77b7a3681ea3e7a0)
+(cherry picked from commit 9e4b7c856c57deda7b7887da7978328ec8b57187)
+---
+ ext/standard/metaphone.c                    |  6 +++---
+ ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+
+diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
+index def371b523..70453ee447 100644
+--- a/ext/standard/metaphone.c
++++ b/ext/standard/metaphone.c
+@@ -124,10 +124,10 @@ char _codes[26] =
+ 
+ /* Allows us to safely look ahead an arbitrary # of letters */
+ /* I probably could have just used strlen... */
+-static char Lookahead(char *word, int how_far)
++static char Lookahead(char *word, size_t how_far)
+ {
+ 	char letter_ahead = '\0';	/* null by default */
+-	int idx;
++	size_t idx;
+ 	for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
+ 	/* Edge forward in the string... */
+ 
+@@ -169,7 +169,7 @@ static char Lookahead(char *word, int how_far)
+  */
+ static int metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
+ {
+-	int w_idx = 0;				/* point in the phonization we're at. */
++	size_t w_idx = 0;				/* point in the phonization we're at. */
+ 	size_t p_idx = 0;				/* end of the phoned phrase */
+ 	size_t max_buffer_len = 0;		/* maximum length of the destination buffer */
+ 
+diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+new file mode 100644
+index 0000000000..cf9a40062f
+--- /dev/null
++++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
++--CREDITS--
++Aleksey Solovev (Positive Technologies)
++--INI--
++memory_limit=3G
++--SKIPIF--
++<?php
++if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
++if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
++if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
++?>
++--FILE--
++<?php
++
++$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
++metaphone($str, 1);
++
++?>
++===DONE===
++--EXPECT--
++===DONE===
+-- 
+2.54.0
+