cbcvebase.
CVE-2026-6722
published 2026-05-10

CVE-2026-6722: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.0th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianphp8.4
phpphp
phpphp>= 8.2.0 < 8.2.318.2.31
phpphp>= 8.3.0 < 8.3.318.3.31
phpphp>= 8.4.0 < 8.4.218.4.21
phpphp>= 8.5.0 < 8.5.68.5.6
php_7.4php
php_8.2php
php_8.3php
php_groupphp>= 8.2.* < 8.2.318.2.31
php_groupphp>= 8.3.* < 8.3.318.3.31
php_groupphp>= 8.4.* < 8.4.218.4.21
php_groupphp>= 8.5.* < 8.5.68.5.6
ubuntuphp8.1
ubuntuphp8.3
ubuntuphp8.4
ubuntuphp8.5

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: an apache:Map node with duplicate keys in a SOAP request body causes use-after-free; monitor for SOAP requests containing duplicate keys within apache:Map nodes targeting PHP SOAP endpoints
  • Exploit delivery vector: attacker must control the SOAP request body; inspect/alert on inbound SOAP request bodies for duplicate apache:Map keys combined with href references to freed nodes
  • Affected component is the PHP SOAP extension (php-soap / php-src); scope detection to processes/services running PHP 8.2.x < 8.2.31, 8.3.x < 8.3.31, 8.4.x < 8.4.21, or 8.5.x < 8.5.6 with the SOAP extension loaded
  • ·Red Hat notes that PHP applications not running as root will restrict code execution to the current working user context; full system compromise is not guaranteed on properly configured Red Hat systems
  • ·No mitigation is currently available that meets Red Hat Product Security criteria; patching to fixed versions is the only remediation path

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red
vendor_redhat9.8CRITICAL
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.