CVE-2026-6722
Received Received - Intake
Use-After-Free in PHP SOAP Extension

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: PHP Group

Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global mapΒ without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6722
EUVD
EUVD-2026-28966
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
php php to 8.2.31 (exc)
php php to 8.3.31 (exc)
php php to 8.4.21 (exc)
php php to 8.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6722 is a Use-After-Free vulnerability in the SOAP extension of PHP. It happens because the extension stores pointers to PHP objects in a global map without increasing their reference counts. When duplicate keys exist in this map, the second entry overwrites the first, freeing the original object but leaving a stale pointer behind. An attacker controlling the SOAP request can exploit this stale pointer to execute arbitrary code remotely by manipulating the freed memory.

Impact Analysis

This vulnerability can lead to remote code execution, allowing an attacker to run arbitrary code on the affected system. This can compromise the security and integrity of the server running PHP, potentially leading to unauthorized access, data theft, or further exploitation of the system.

Detection Guidance

This vulnerability is a Use-After-Free issue in the PHP SOAP extension related to object reference counting during XML graph traversal. Detection involves identifying vulnerable PHP versions and monitoring SOAP requests for suspicious behavior.

To detect if your system is vulnerable, first check the PHP version installed on your system. Versions prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6 are affected.

  • Check PHP version: php -v
  • Inspect loaded PHP modules to confirm if the SOAP extension is enabled: php -m | grep soap

For network detection, monitor SOAP request bodies for unusual or malicious payloads that could exploit the object deduplication mechanism, although no specific commands are provided for this.

Mitigation Strategies

The primary mitigation step is to upgrade PHP to a fixed version where the vulnerability is resolved.

  • Upgrade PHP to version 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.

The fix involves increasing the reference count of objects before adding them to the internal map and properly deallocating them, preventing premature freeing and use-after-free conditions.

Until upgrading, consider disabling the SOAP extension if it is not required, to reduce the attack surface.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart