CVE-2026-6722

EUVD-2026-28966
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
phpCNA
9.5 CRITICAL
NETWORK
HIGH
NONE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
phpphp
8.2.* ≤
𝑥
< 8.2.31
CNA
phpphp
8.3.* ≤
𝑥
< 8.3.31
CNA
phpphp
8.4.* ≤
𝑥
< 8.4.21
CNA
phpphp
8.5.* ≤
𝑥
< 8.5.6
CNA
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
vulnerable
php8.2
bookworm
vulnerable
bookworm (security)
8.2.31-1~deb12u1
fixed
php8.4
forky
vulnerable
sid
8.4.21-1
fixed
trixie
vulnerable
trixie (security)
8.4.21-1~deb13u1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5