CVE-2026-6722
Use-After-Free in PHP SOAP Extension
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6722 is a Use-After-Free vulnerability in the SOAP extension of PHP. It happens because the extension stores pointers to PHP objects in a global map without increasing their reference counts. When duplicate keys exist in this map, the second entry overwrites the first, freeing the original object but leaving a stale pointer behind. An attacker controlling the SOAP request can exploit this stale pointer to execute arbitrary code remotely by manipulating the freed memory.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution, allowing an attacker to run arbitrary code on the affected system. This can compromise the security and integrity of the server running PHP, potentially leading to unauthorized access, data theft, or further exploitation of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Use-After-Free issue in the PHP SOAP extension related to object reference counting during XML graph traversal. Detection involves identifying vulnerable PHP versions and monitoring SOAP requests for suspicious behavior.
To detect if your system is vulnerable, first check the PHP version installed on your system. Versions prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6 are affected.
- Check PHP version: php -v
- Inspect loaded PHP modules to confirm if the SOAP extension is enabled: php -m | grep soap
For network detection, monitor SOAP request bodies for unusual or malicious payloads that could exploit the object deduplication mechanism, although no specific commands are provided for this.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade PHP to a fixed version where the vulnerability is resolved.
- Upgrade PHP to version 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
The fix involves increasing the reference count of objects before adding them to the internal map and properly deallocating them, preventing premature freeing and use-after-free conditions.
Until upgrading, consider disabling the SOAP extension if it is not required, to reduce the attack surface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.