USN-7953-1: PHP vulnerabilities

USN-7953-1: PHP vulnerabilities

Publication date: 12 January 2026
Overview: Several security issues were fixed in PHP.

Packages
php7.2 - HTML-embedded scripting language interpreter
php7.4 - HTML-embedded scripting language interpreter
php8.1 - HTML-embedded scripting language interpreter
php8.3 - HTML-embedded scripting language interpreter
php8.4 - HTML-embedded scripting language interpreter

Details
It was discovered that PHP incorrectly handled memory while reading images
in multi-chunk mode. An attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.04 and Ubuntu 25.10. (CVE-2025-14177)

It was discovered that PHP incorrectly handled memory when element count
exceeds 32-bit limit. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-14178)

It was discovered that PHP incorrectly handled memory when using the PDO
PostgreSQL driver. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-14180)

Update instructions
In general, a standard system update will make all the necessary changes.

The problem can be corrected by updating your system to the following package versions:

• 25.10 questing php8.4 – 8.4.11-1ubuntu1.1
• 25.04 plucky php8.4 – 8.4.5-1ubuntu1.2
• 24.04 LTS noble php8.3 – 8.3.6-0ubuntu0.24.04.6
• 22.04 LTS jammy php8.1 – 8.1.2-1ubuntu2.23
• 20.04 LTS focal php7.4 – 7.4.3-4ubuntu2.29+esm3
• 18.04 LTS bionic php7.2 – 7.2.24-0ubuntu0.18.04.17+esm12