CVE-2026-6722
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 contain a use-after-free vulnerability in the SOAP extension's object deduplication mechanism. Storing pointers to PHP objects in a global map without incrementing reference counts, combined with duplicate keys in an apache:Map node, leads to freed memory and potential remote code execution.
Risk Assessment
An attacker controlling the SOAP request body can exploit this vulnerability to achieve remote code execution on the server, leading to full compromise of the application and potentially the entire system.
Recommendation
Immediately upgrade PHP to version 8.2.31, 8.3.31, 8.4.21, or 8.5.6 depending on your branch. If an upgrade is not possible, temporarily disable the SOAP extension.
Original NVD description (English source)
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

