Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.4

Debian Linux: Unauthenticated Remote Code Execution via Samba

DEBIAN-CVE-2026-7261
Summary

A vulnerability in the Samba file sharing service on Debian Linux allows attackers to execute malicious code on affected systems without being authenticated. This means that hackers can potentially take control of your system, steal sensitive data, or spread malware to other connected devices. To protect your system, ensure you have the latest updates and security patches installed, and consider disabling the Samba service if it's not necessary for your operations.

What to do
  • Update debian php8.2 to version 8.2.31-1~deb12u1.
  • Update debian php8.4 to version 8.4.21-1~deb13u1.
Affected software
Ecosystem VendorProductAffected versions
Debian:11 debian php7.4 All versions
Debian:12 debian php8.2 < 8.2.31-1~deb12u1
Fix: upgrade to 8.2.31-1~deb12u1
Debian:13 debian php8.4 < 8.4.21-1~deb13u1
Fix: upgrade to 8.4.21-1~deb13u1
Debian:14 debian php8.4 All versions
Original title
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted a...
Original description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Published: 10 May 2026 · Updated: 13 May 2026 · First seen: 8 May 2026