SUSE-SU-2026:1958-1

This update for php8 fixes the following issues

• CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL injection (bsc#1264778).
• CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution (bsc#1264776).
• CVE-2026-6735: improper validation of the request URI within the PHP-FPM status page can lead to XSS (bsc#1264775).
• CVE-2026-7258: signed char values passed to ctype functions like isxdigit can lead to OOB access and denial of service (bsc#1264774).
• CVE-2026-7259: NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() can lead to a denial of service (bsc#1264773).
• CVE-2026-7261: use-after-free due to incorrectly handled persistence of handler objects when SOAPPERSISTENCESESSION is configured can lead to memory corruption, information disclosure and process crashes (bsc#1264772).
• CVE-2026-7262: NULL pointer dereference caused by mistake in the SOAP decoding process when a typemap is configured can lead to a denial of service (bsc#1264771).
• CVE-2026-7568: integer overflow in the metaphone function can lead to undefined behavior and affect the availability of the PHPprocess (bsc#1264769).

Other updates:

• Updated to 8.3.31.