Nora Dossche

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** A use-after-free issue exists in the SOAP extension's object deduplication mechanism, specifically within the `soap add xml ref()` function. The mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, the second entry overwrites the first in the temporary result map, freeing the original PHP object while a stale pointer remains. A subsequent href reference to the freed node can copy this dangling pointer into the result. Since PHP string allocations can reclaim the freed memory region, a remote attacker controlling the SOAP request body can exploit this to achieve remote code execution. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6