CVE-2026-6722

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5

Description A use-after-free issue exists in the SOAP extension's object deduplication mechanism, specifically within the soap add xml ref() function. The mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, the second entry overwrites the first in the temporary result map, freeing the original PHP object while a stale pointer remains. A subsequent href reference to the freed node can copy this dangling pointer into the result. Since PHP string allocations can reclaim the freed memory region, a remote attacker controlling the SOAP request body can exploit this to achieve remote code execution.

Recommendations Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6