CVE-2026-6722
Published:May 10, 2026
Updated:May 16, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Affected Packages
https://github.com/php/php-src.git (GITHUB):
Affected version(s) >=php-8.5.0 <php-8.5.6Fix Suggestion:
Update to version php-8.5.6https://github.com/php/php-src.git (GITHUB):
Affected version(s) >=php-8.2.0 <php-8.2.31Fix Suggestion:
Update to version php-8.2.31https://github.com/php/php-src.git (GITHUB):
Affected version(s) >=php-8.4.0 <php-8.4.21Fix Suggestion:
Update to version php-8.4.21https://github.com/php/php-src.git (GITHUB):
Affected version(s) >=php-8.3.0 <php-8.3.31Fix Suggestion:
Update to version php-8.3.31Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Use After Free
EPSS
Base Score:
0.30