CVE-2026-7261
Heap Use-After-Free in PHP SoapServer Session Handling
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7261 is a moderate-severity vulnerability in PHP's SOAP extension affecting versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. It involves a use-after-free issue in the SoapServer class when session persistence is enabled using SOAP_PERSISTENCE_SESSION.
The problem arises because when a SOAP request results in an error (such as a SOAP header handler returning false or throwing an exception), the persistence handling incorrectly frees the handler object but keeps a pointer to it in session storage. This leads to a use-after-free condition when the session is accessed later.
This flaw can cause memory corruption, information disclosure, or process crashes, impacting the confidentiality, integrity, and availability of the affected system.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to memory corruption, which may cause process crashes or unexpected behavior in PHP SOAP servers.
It may also result in information disclosure, potentially exposing sensitive data handled by the SOAP server.
Overall, the vulnerability impacts the confidentiality, integrity, and availability of the vulnerable system, although exploitation is challenging due to the typical single-request-per-PHP-process nature of SOAP servers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying PHP installations running affected versions prior to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 that use the SoapServer class with SOAP_PERSISTENCE_SESSION enabled.
You can check the PHP version by running the command: php -v
To detect if SOAP_PERSISTENCE_SESSION is used, review your PHP SOAP server code or configuration for the use of SoapServer with the SOAP_PERSISTENCE_SESSION flag.
Additionally, monitoring logs for SOAP request errors or crashes related to the SOAP handler object may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PHP to a fixed version: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
If upgrading is not immediately possible, consider disabling SOAP_PERSISTENCE_SESSION in your SoapServer configuration to avoid the use-after-free condition.
Also, monitor your SOAP server logs for errors and crashes that may indicate attempts to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in PHP's SoapServer extension may lead to information disclosure, memory corruption, or process crashes, impacting confidentiality, integrity, and availability of the affected system.
Such impacts on confidentiality and integrity could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system reliability.
However, the provided information does not explicitly describe direct effects or compliance implications related to these standards.