CVE-2026-6722

UNKNOWN 0.0

Use-After-Free in SOAP using Apache map

CVSS Score

0.0

EPSS Score

0.3%

EPSS Percentile

53th

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

CWE	CWE-416
Vendor	php group
Product	php
Published	May 10, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for php group php

Be the first to know when new unknown vulnerabilities affecting php group php are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

PHP Group / PHP

8.2.* < 8.2.31 8.3.* < 8.3.31 8.4.* < 8.4.21 8.5.* < 8.5.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5

Credits

🔍 brettgervasoni Ilija Tovilo Nora Dossche