From efc42033d54d0c3eeefd1c5ce8b197783846e635 Mon Sep 17 00:00:00 2001
From: Weilin Du <108666168+LamentXU123@users.noreply.github.com>
Date: Tue, 5 May 2026 19:21:44 +0800
Subject: [PATCH 1/2] ext/pcntl: Ensure `$array` is a list array in
 `pcntl_exec` (#21951)

---
 NEWS                                      |  4 ++++
 UPGRADING                                 |  2 ++
 ext/pcntl/pcntl.c                         |  6 +++++-
 ext/pcntl/tests/pcntl_exec_list_args.phpt | 14 ++++++++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 ext/pcntl/tests/pcntl_exec_list_args.phpt

diff --git a/NEWS b/NEWS
index fe70343e8398..5f0c155a3f7b 100644
--- a/NEWS
+++ b/NEWS
@@ -85,6 +85,10 @@ PHP                                                                        NEWS
     list of candidate encodings (with 200,000+ entries). (Jordi Kroon)
   . mbregex has been deprecated. (youkidearitai)
 
+- PCNTL:
+  . pcntl_exec() now throws a ValueError if the $args array is not a list
+    array. (Weilin Du)
+
 - Mysqli:
   . Added mysqli_quote_string() and mysqli::quote_string(). (Kamil Tekiela)
 
diff --git a/UPGRADING b/UPGRADING
index fe44036383d0..d271eb47f7d1 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -37,6 +37,8 @@ PHP 8.6 UPGRADE NOTES
 - PCNTL:
   . pcntl_alarm() now raises a ValueError if the seconds argument is
     lower than zero or greater than platform's UINT_MAX.
+  . pcntl_exec() now raises a ValueError if the $args argument is not a list
+    array.
 
 - PCRE:
   . preg_grep() now returns false instead of a partial array when a PCRE
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index e9453b21329e..2ba732c4540e 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -675,7 +675,11 @@ PHP_FUNCTION(pcntl_exec)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (args != NULL) {
-		// TODO Check array is a list?
+		if (!zend_array_is_list(Z_ARRVAL_P(args))) {
+			zend_argument_value_error(2, "must be a list array");
+			RETURN_THROWS();
+		}
+
 		/* Build argument list */
 		SEPARATE_ARRAY(args);
 		const HashTable *args_ht = Z_ARRVAL_P(args);
diff --git a/ext/pcntl/tests/pcntl_exec_list_args.phpt b/ext/pcntl/tests/pcntl_exec_list_args.phpt
new file mode 100644
index 000000000000..5cd8c0fbe228
--- /dev/null
+++ b/ext/pcntl/tests/pcntl_exec_list_args.phpt
@@ -0,0 +1,14 @@
+--TEST--
+pcntl_exec(): Argument array must be a list
+--EXTENSIONS--
+pcntl
+--FILE--
+<?php
+try {
+    pcntl_exec('cmd', ['opt' => '-n']);
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+ValueError: pcntl_exec(): Argument #2 ($args) must be a list array

From 631c366f9f58c8ba4078a48d1f56187cfbf8e549 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Tue, 5 May 2026 12:54:25 +0100
Subject: [PATCH 2/2] [ci skip] fix NEWS last entry

---
 NEWS | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 5f0c155a3f7b..4ace7d3dc462 100644
--- a/NEWS
+++ b/NEWS
@@ -85,10 +85,6 @@ PHP                                                                        NEWS
     list of candidate encodings (with 200,000+ entries). (Jordi Kroon)
   . mbregex has been deprecated. (youkidearitai)
 
-- PCNTL:
-  . pcntl_exec() now throws a ValueError if the $args array is not a list
-    array. (Weilin Du)
-
 - Mysqli:
   . Added mysqli_quote_string() and mysqli::quote_string(). (Kamil Tekiela)
 
@@ -103,6 +99,10 @@ PHP                                                                        NEWS
   . Added TLS session resumption support for streams with new context options
     and Openssl\Session class. (Jakub Zelenka)
 
+- PCNTL:
+  . pcntl_exec() now throws a ValueError if the $args array is not a list
+    array. (Weilin Du)
+
 - PDO_DBLIB;
   . Added dblib_handle_check_liveness handler. (freddy77)