Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Published: 2026-05-10
Score: 9.5 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in PHP's SOAP extension that occurs during object deduplication with duplicate keys in an apache:Map node. The flaw allows an attacker to free a PHP object, leave a dangling pointer in the global map, and later reference that freed memory to overwrite it with arbitrary data, yielding remote code execution. The weakness is a classic use‑after‑free, classified as CWE‑416.

Affected Systems

PHP Group's PHP releases 8.2, 8.3, 8.4, and 8.5 are affected. Versions prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6 respectively are vulnerable. The vulnerability resides in the SOAP extension, which is enabled by default in most PHP deployments.

Risk and Exploitability

The flaw carries a CVSS score of 9.5, indicating a critical severity. No EPSS score is available, but the exploit requires remote access through a crafted SOAP request containing duplicate keys, a scenario that is feasible for attackers who can send arbitrary SOAP messages. The vulnerability is not listed in CISA's KEV catalog yet, but the high severity and remote exploitation potential warrant urgent attention. An attacker with control over the SOAP body can trigger the use‑after‑free, leading to arbitrary code execution on the affected host.

Generated by OpenCVE AI on May 10, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to a non‑vulnerable release (8.2.31 or newer, 8.3.31 or newer, 8.4.21 or newer, or 8.5.6 or newer).
  • If an upgrade is not yet possible, disable the PHP SOAP extension or configure your application to reject SOAP requests that contain duplicate keys in apache:Map nodes.
  • Implement inbound filtering or WAF rules to block malformed SOAP traffic targeting the SOAP endpoint.

Generated by OpenCVE AI on May 10, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6255-1 php8.2 security update
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sun, 10 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Title Use-After-Free in SOAP using Apache map
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red'}

Subscriptions

Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-10T04:19:15.288Z

Reserved: 2026-04-20T19:39:59.836Z

Link: CVE-2026-6722

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T05:16:11.070

Modified: 2026-05-10T05:16:11.070

Link: CVE-2026-6722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:05Z

Weaknesses