CVE-2026-6722
published 2026-05-10CVE-2026-6722: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.0th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php8.4 | — | — |
| php | php | — | — |
| php | php | >= 8.2.0 < 8.2.31 | 8.2.31 |
| php | php | >= 8.3.0 < 8.3.31 | 8.3.31 |
| php | php | >= 8.4.0 < 8.4.21 | 8.4.21 |
| php | php | >= 8.5.0 < 8.5.6 | 8.5.6 |
| php_7.4 | php | — | — |
| php_8.2 | php | — | — |
| php_8.3 | php | — | — |
| php_group | php | >= 8.2.* < 8.2.31 | 8.2.31 |
| php_group | php | >= 8.3.* < 8.3.31 | 8.3.31 |
| php_group | php | >= 8.4.* < 8.4.21 | 8.4.21 |
| php_group | php | >= 8.5.* < 8.5.6 | 8.5.6 |
| ubuntu | php8.1 | — | — |
| ubuntu | php8.3 | — | — |
| ubuntu | php8.4 | — | — |
| ubuntu | php8.5 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: an apache:Map node with duplicate keys in a SOAP request body causes use-after-free; monitor for SOAP requests containing duplicate keys within apache:Map nodes targeting PHP SOAP endpoints ↗
- →Exploit delivery vector: attacker must control the SOAP request body; inspect/alert on inbound SOAP request bodies for duplicate apache:Map keys combined with href references to freed nodes ↗
- →Affected component is the PHP SOAP extension (php-soap / php-src); scope detection to processes/services running PHP 8.2.x < 8.2.31, 8.3.x < 8.3.31, 8.4.x < 8.4.21, or 8.5.x < 8.5.6 with the SOAP extension loaded ↗
- ·Red Hat notes that PHP applications not running as root will restrict code execution to the current working user context; full system compromise is not guaranteed on properly configured Red Hat systems ↗
- ·No mitigation is currently available that meets Red Hat Product Security criteria; patching to fixed versions is the only remediation path ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red
vendor_redhat9.8CRITICAL
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2026-05-28·CVSS 7.4
CVE-2026-7259 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PH
Red Hat
php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability
vendor_redhat·2026-05-10·CVSS 9.8
CVE-2026-6722 [CRITICAL] CWE-825 php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability
php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve
VulDB
PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 SOAP Extension use after free (GHSA-85c2-q967-79q5 / WID-SEC-2026-1433)
vuldb·2026-05-10·CVSS 9.5
CVE-2026-6722 [CRITICAL] PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 SOAP Extension use after free (GHSA-85c2-q967-79q5 / WID-SEC-2026-1433)
A vulnerability marked as critical has been reported in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5. This affects an unknown part of the component SOAP Extension. This manipulation causes use after free.
This vulnerability is registered as CVE-2026-6722. Remote exploitation of the attack is possible. No exploit is available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-6722 php: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability [fedora-all]
bugzilla·2026-06-08·CVSS 9.8
CVE-2026-6722 [CRITICAL] CVE-2026-6722 php: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability [fedora-all]
CVE-2026-6722 php: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6722 php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability
bugzilla·2026-05-10·CVSS 9.8
CVE-2026-6722 [CRITICAL] CVE-2026-6722 php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability
CVE-2026-6722 php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-f
2026-05-10
Published