diff --git a/php-cve-2025-14177.patch b/php-cve-2025-14177.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7ef1b2b5a2978bdc8db2b5f37b7468306f7e0421
--- /dev/null
+++ b/php-cve-2025-14177.patch
@@ -0,0 +1,103 @@
+From ed665eb1903737d2b52b27368b155f6208604ed9 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Tue, 25 Nov 2025 23:11:38 +0100
+Subject: [PATCH 1/5] Fix GH-20584: Information Leak of Memory
+
+The string added had uninitialized memory due to
+php_read_stream_all_chunks() not moving the buffer position, resulting
+in the same data always being overwritten instead of new data being
+added to the end of the buffer.
+
+This is backport as there is a security impact as described in
+GHSA-3237-qqm7-mfv7 .
+
+(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
+---
+ ext/standard/image.c                  | 17 +++++++++++-
+ ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/image/gh20584.phpt
+
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index 419522c6a2e..69f18d100f5 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -424,6 +424,21 @@ static int php_skip_variable(php_stream * stream)
+ }
+ /* }}} */
+ 
++static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_t length)
++{
++	size_t read_total = 0;
++	do {
++		ssize_t read_now = php_stream_read(stream, buffer, length - read_total);
++		read_total += read_now;
++		if (read_now < stream->chunk_size && read_total != length) {
++			return 0;
++		}
++		buffer += read_now;
++	} while (read_total < length);
++
++	return read_total;
++}
++
+ /* {{{ php_read_APP */
+ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info)
+ {
+@@ -440,7 +455,7 @@ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info)
+ 
+ 	buffer = emalloc(length);
+ 
+-	if (php_stream_read(stream, buffer, (size_t) length) != length) {
++	if (php_read_stream_all_chunks(stream, buffer, length) != length) {
+ 		efree(buffer);
+ 		return 0;
+ 	}
+diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
+new file mode 100644
+index 00000000000..d117f218202
+--- /dev/null
++++ b/ext/standard/tests/image/gh20584.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++GH-20584 (Information Leak of Memory)
++--CREDITS--
++Nikita Sveshnikov (Positive Technologies)
++--FILE--
++<?php
++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
++$file = __DIR__ . '/gh20584.jpg';
++
++// Make APP1 large enough so it is read in multiple chunks
++$chunk = 8192;
++$tail = 123;
++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
++$tail);
++$app1Len = 2 + strlen($payload);
++
++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
++"\x01\x11\x00";
++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
++"\xFF\xD9";
++file_put_contents($file, $jpeg);
++
++// Read through a filter to enforce multiple reads
++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
++$info = null;
++@getimagesize($src, $info);
++$exp = $payload;
++$ret = $info['APP1'];
++
++var_dump($ret === $exp);
++
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__ . '/gh20584.jpg');
++?>
++--EXPECT--
++bool(true)
+-- 
+2.52.0
+
diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch
new file mode 100644
index 0000000000000000000000000000000000000000..867ffba791ab0a07d5cb274156c4a32166d9c8f4
--- /dev/null
+++ b/php-cve-2025-14178.patch
@@ -0,0 +1,62 @@
+From e4516e52979e8b67d9d35dfdbcc5dc7368263fa2 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Sun, 9 Nov 2025 13:23:11 +0100
+Subject: [PATCH 3/5] Fix GHSA-h96m-rvf9-jgm2
+
+(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415)
+---
+ ext/standard/array.c                             |  7 ++++++-
+ .../tests/array/GHSA-h96m-rvf9-jgm2.phpt         | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+
+diff --git a/ext/standard/array.c b/ext/standard/array.c
+index 4b68040adc8..2960713d00e 100644
+--- a/ext/standard/array.c
++++ b/ext/standard/array.c
+@@ -3798,7 +3798,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
+ 	int argc, i;
+ 	zval *src_entry;
+ 	HashTable *src, *dest;
+-	uint32_t count = 0;
++	uint64_t count = 0;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(0, -1)
+ 		Z_PARAM_VARIADIC('+', args, argc)
+@@ -3818,6 +3818,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
+ 		count += zend_hash_num_elements(Z_ARRVAL_P(arg));
+ 	}
+ 
++	if (UNEXPECTED(count >= HT_MAX_SIZE)) {
++		zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
++		RETURN_THROWS();
++	}
++
+ 	if (argc == 2) {
+ 		zval *ret = NULL;
+ 
+diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+new file mode 100644
+index 00000000000..2e3e85357e1
+--- /dev/null
++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++GHSA-h96m-rvf9-jgm2
++--FILE--
++<?php
++
++$power = 20; // Chosen to be well within a memory_limit
++$arr = range(0, 2**$power);
++try {
++    array_merge(...array_fill(0, 2**(32-$power), $arr));
++} catch (Error $e) {
++    echo $e->getMessage(), "\n";
++}
++
++?>
++--EXPECTF--
++The total number of elements must be lower than %d
+-- 
+2.52.0
+
diff --git a/php-ghsa-www2-q4fc-65wf.patch b/php-ghsa-www2-q4fc-65wf.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fa6274c132dbc58f4ee156d4260394c455f46365
--- /dev/null
+++ b/php-ghsa-www2-q4fc-65wf.patch
@@ -0,0 +1,198 @@
+From 52c5762a902e8731b7068ded027fbd780f5a1991 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 6 Sep 2025 21:55:13 +0200
+Subject: [PATCH 4/5] Fix GHSA-www2-q4fc-65wf
+
+(cherry picked from commit ed70b1ea43a9b7ffa2f53b3e5d6ba403f37ae81c)
+---
+ ext/standard/basic_functions.c                | 12 ++--
+ ext/standard/dns.c                            |  6 +-
+ ext/standard/dns_win32.c                      |  6 +-
+ .../tests/network/ghsa-www2-q4fc-65wf.phpt    | 62 +++++++++++++++++++
+ 4 files changed, 74 insertions(+), 12 deletions(-)
+ create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 876ef347ebf..9eba6d5a14c 100755
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -633,7 +633,7 @@ PHP_FUNCTION(inet_pton)
+ 	char buffer[17];
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 1)
+-		Z_PARAM_STRING(address, address_len)
++		Z_PARAM_PATH(address, address_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 	memset(buffer, 0, sizeof(buffer));
+@@ -670,7 +670,7 @@ PHP_FUNCTION(ip2long)
+ #endif
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 1)
+-		Z_PARAM_STRING(addr, addr_len)
++		Z_PARAM_PATH(addr, addr_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ #ifdef HAVE_INET_PTON
+@@ -2265,8 +2265,8 @@ PHP_FUNCTION(getservbyname)
+ 	struct servent *serv;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(2, 2)
+-		Z_PARAM_STRING(name, name_len)
+-		Z_PARAM_STRING(proto, proto_len)
++		Z_PARAM_PATH(name, name_len)
++		Z_PARAM_PATH(proto, proto_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 
+@@ -2309,7 +2309,7 @@ PHP_FUNCTION(getservbyport)
+ 
+ 	ZEND_PARSE_PARAMETERS_START(2, 2)
+ 		Z_PARAM_LONG(port)
+-		Z_PARAM_STRING(proto, proto_len)
++		Z_PARAM_PATH(proto, proto_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 	serv = getservbyport(htons((unsigned short) port), proto);
+@@ -2332,7 +2332,7 @@ PHP_FUNCTION(getprotobyname)
+ 	struct protoent *ent;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 1)
+-		Z_PARAM_STRING(name, name_len)
++		Z_PARAM_PATH(name, name_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 	ent = getprotobyname(name);
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index a81ae3f71fc..4b3fac8e915 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -368,7 +368,7 @@ PHP_FUNCTION(dns_check_record)
+ #endif
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 2)
+-		Z_PARAM_STRING(hostname, hostname_len)
++		Z_PARAM_PATH(hostname, hostname_len)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_STRING(rectype, rectype_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+@@ -815,7 +815,7 @@ PHP_FUNCTION(dns_get_record)
+ 	zend_bool raw = 0;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 5)
+-		Z_PARAM_STRING(hostname, hostname_len)
++		Z_PARAM_PATH(hostname, hostname_len)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_LONG(type_param)
+ 		Z_PARAM_ZVAL(authns)
+@@ -1053,7 +1053,7 @@ PHP_FUNCTION(dns_get_mx)
+ #endif
+ 
+ 	ZEND_PARSE_PARAMETERS_START(2, 3)
+-		Z_PARAM_STRING(hostname, hostname_len)
++		Z_PARAM_PATH(hostname, hostname_len)
+ 		Z_PARAM_ZVAL(mx_list)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_ZVAL(weight_list)
+diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c
+index d677da0c150..1870998ef1f 100644
+--- a/ext/standard/dns_win32.c
++++ b/ext/standard/dns_win32.c
+@@ -48,7 +48,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */
+ 	DNS_STATUS      status;                 /* Return value of DnsQuery_A() function */
+ 	PDNS_RECORD     pResult, pRec;          /* Pointer to DNS_RECORD structure */
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
+ 		RETURN_THROWS();
+ 	}
+ 
+@@ -101,7 +101,7 @@ PHP_FUNCTION(dns_check_record)
+ 	DNS_STATUS      status;                 /* Return value of DnsQuery_A() function */
+ 	PDNS_RECORD     pResult;          /* Pointer to DNS_RECORD structure */
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
+ 		RETURN_THROWS();
+ 	}
+ 
+@@ -353,7 +353,7 @@ PHP_FUNCTION(dns_get_record)
+ 	int type, type_to_fetch, first_query = 1, store_results = 1;
+ 	zend_bool raw = 0;
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b",
++	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b",
+ 			&hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) {
+ 		RETURN_THROWS();
+ 	}
+diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+new file mode 100644
+index 00000000000..3d082c8e952
+--- /dev/null
++++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+@@ -0,0 +1,62 @@
++--TEST--
++GHSA-www2-q4fc-65wf
++--DESCRIPTION--
++This is a ZPP test but *keep* this as it is security-sensitive!
++--FILE--
++<?php
++try {
++    dns_check_record("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    dns_get_mx("\0", $out);
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    dns_get_record("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getprotobyname("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getservbyname("\0", "tcp");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getservbyname("x", "tcp\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getservbyport(0, "tcp\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    inet_pton("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    ip2long("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++?>
++--EXPECT--
++dns_check_record(): Argument #1 ($hostname) must not contain any null bytes
++dns_get_mx(): Argument #1 ($hostname) must not contain any null bytes
++dns_get_record(): Argument #1 ($hostname) must not contain any null bytes
++getprotobyname(): Argument #1 ($protocol) must not contain any null bytes
++getservbyname(): Argument #1 ($service) must not contain any null bytes
++getservbyname(): Argument #2 ($protocol) must not contain any null bytes
++getservbyport(): Argument #2 ($protocol) must not contain any null bytes
++inet_pton(): Argument #1 ($ip) must not contain any null bytes
++ip2long(): Argument #1 ($ip) must not contain any null bytes
+-- 
+2.52.0
+
diff --git a/php.spec b/php.spec
index 0be110282b60bd86b4f9dcd3cec2c9798657df91..cda799fb7eb4d20d2b10519ef42e82ad8b6f1ce1 100644
--- a/php.spec
+++ b/php.spec
@@ -26,7 +26,7 @@
 
 Name:          php
 Version:       %{upver}
-Release:       10
+Release:       11
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP-3.01 AND Zend-2.0 AND BSD-2-Clause AND MIT AND Apache-1.0 AND NCSA AND BSL-1.0
 URL:           http://www.php.net/
@@ -78,6 +78,9 @@ Patch27:       php-8.0.30-pcretests.patch
 Patch28:       php-cve-2025-1220.patch
 Patch29:       php-cve-2025-6491.patch
 Patch30:       php-cve-2025-1735.patch
+Patch31:       php-cve-2025-14177.patch
+Patch32:       php-cve-2025-14178.patch
+Patch33:       php-ghsa-www2-q4fc-65wf.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1101,6 +1104,14 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Fri Dec 19 2025 Funda Wang <fundawang@yeah.net> - 8.0.30-11
+- Fix Null byte termination in dns_get_record()
+  GHSA-www2-q4fc-65wf
+- Fix Heap buffer overflow in array_merge()
+  CVE-2025-14178
+- Fix Information Leak of Memory in getimagesize
+  CVE-2025-14177
+
 * Wed Jul 02 2025 Funda Wang <fundawang@yeah.net> - 8.0.30-10
 - fix CVE-2025-1220, CVE-2025-6491, CVE-2025-1735