Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Published: 2026-05-10
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw occurs in PHP’s SoapServer when the SOAP_PERSISTENCE_SESSION option is enabled and a SOAP request ends in an error. The server frees the handler object while retaining a pointer to it, which can cause memory corruption, data leakage, or application crashes.

Affected Systems

The vulnerability affects PHP Group PHP versions 8.2 before 8.2.31, 8.3 before 8.3.31, 8.4 before 8.4.21, and 8.5 before 8.5.6 when SoapServer is configured to persist the handler object across requests via session storage.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the EPSS score is not available. The issue is not yet listed in CISA’s KEV catalog. A remote attacker can exploit the flaw by sending crafted SOAP requests that trigger a fault while SOAP_PERSISTENCE_SESSION is active. Successful exploitation may lead to memory corruption, information disclosure, or denial of service depending on the environment and error conditions.

Generated by OpenCVE AI on May 10, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official PHP patch by upgrading to PHP 8.2.31, 8.3.31, 8.4.21, or 8.5.6 or later.
  • If an upgrade is not immediately possible, disable SOAP_PERSISTENCE_SESSION in the SoapServer configuration so the handler object is not persisted across requests.
  • Review and harden SOAP endpoint access controls and monitor for SOAP fault errors to detect potential exploitation attempts.

Generated by OpenCVE AI on May 10, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6255-1 php8.2 security update
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sun, 10 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Title SoapServer session-persisted object use-after-free via SOAP header fault
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:P/AU:Y/RE:M/U:Amber'}

Subscriptions

Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-10T04:07:25.484Z

Reserved: 2026-04-28T05:08:46.198Z

Link: CVE-2026-7261

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T05:16:11.640

Modified: 2026-05-10T05:16:11.640

Link: CVE-2026-7261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:05Z

Weaknesses