Main Vulnerability Database SB2026041796

SB2026041796 - Fedora 42 update for phpunit11

Published: April 17, 2026

Security Bulletin ID SB2026041796

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2026-24765)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in the cleanupForCoverage() method of the PHPT test runner when processing a pre-existing .coverage file during PHPT test execution with code coverage instrumentation enabled. A local user can place a malicious serialized object in a .coverage file to execute arbitrary code.

The issue is triggered only if a .coverage file is present before test execution.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2026-c3b42a28dd