CVE-2026-6722 Overview
CVE-2026-6722 is a use-after-free vulnerability [CWE-416] in the PHP Simple Object Access Protocol (SOAP) extension. The flaw resides in the object deduplication mechanism, which stores pointers to PHP objects in a global map without incrementing their reference counts. An attacker controlling a SOAP request body can trigger a dangling pointer and reclaim the freed memory through PHP string allocations. Successful exploitation results in remote code execution on the affected server. The vulnerability affects PHP versions 8.2.x, 8.3.x, 8.4.x, and 8.5.x prior to their respective fixed releases.
Critical Impact
Network-reachable PHP applications parsing untrusted SOAP requests can be compromised, granting attackers arbitrary code execution under the web server process.
Affected Products
- PHP 8.2.x before 8.2.31
- PHP 8.3.x before 8.3.31
- PHP 8.4.x before 8.4.21
- PHP 8.5.x before 8.5.6
Discovery Timeline
- 2026-05-10 - CVE-2026-6722 published to the National Vulnerability Database
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-6722
Vulnerability Analysis
The SOAP extension in PHP deduplicates objects during XML deserialization by tracking previously-decoded nodes in a global pointer map. The implementation stores raw pointers to PHP objects without incrementing their reference counts. This shortcut creates a mismatch between object lifetime and the references the deserializer relies on. When the SOAP parser revisits a node through an href reference, it expects the original object to remain valid in memory.
An apache:Map node with duplicate keys breaks that assumption. Processing the second entry overwrites the first in the temporary result map, which frees the original PHP object. The stale pointer remains in the global deduplication map. A subsequent href reference copies the dangling pointer into the result structure, completing the use-after-free condition.
Because PHP string allocations can reclaim the freed memory region, an attacker shapes the heap to place attacker-controlled bytes where the freed object lived. The resulting type confusion allows arbitrary memory read and write primitives, which lead to remote code execution under the PHP worker process.
Root Cause
The root cause is missing reference counting in the SOAP extension's object deduplication logic. Storing raw pointers in the global map without Z_ADDREF semantics allows freed objects to remain referenced after deallocation, violating PHP's memory ownership model.
Attack Vector
Exploitation requires sending a crafted SOAP request body to a PHP endpoint that invokes the SOAP extension to parse client input. No authentication is required when the target endpoint accepts unauthenticated SOAP traffic. The attacker embeds a duplicate-key apache:Map node followed by an href reference to the freed entry, then sprays controlled strings to reclaim the freed allocation.
Full technical details are documented in the PHP Security Advisory GHSA-85c2-q967-79q5.
Detection Methods for CVE-2026-6722
Indicators of Compromise
- SOAP request bodies containing apache:Map nodes with duplicated child keys followed by href back-references to those keys
- PHP-FPM or httpd worker crashes with segmentation faults shortly after receiving SOAP traffic
- Unexpected child processes spawned by PHP worker processes following SOAP request handling
- Outbound network connections initiated by PHP workers to unfamiliar hosts after SOAP parsing
Detection Strategies
- Inspect web server access logs for requests posting text/xml or application/soap+xml payloads to endpoints that invoke SoapServer::handle()
- Apply web application firewall (WAF) signatures that flag SOAP envelopes containing repeated key entries inside apache:Map elements
- Monitor PHP error logs for zend_mm_heap corruption messages, invalid zval types, or SIGSEGV terminations of worker processes
Monitoring Recommendations
- Enable process-execution telemetry on PHP application servers to detect child processes launched from php-fpm or httpd worker contexts
- Aggregate worker crash counts and alert when SOAP-handling endpoints exhibit elevated abnormal termination rates
- Capture full request bodies for SOAP endpoints in a forensic pipeline to support post-incident analysis
How to Mitigate CVE-2026-6722
Immediate Actions Required
- Upgrade affected hosts to PHP 8.2.31, 8.3.31, 8.4.21, or 8.5.6 or later as appropriate for the installed branch
- Inventory all applications that load the SOAP extension via extension=soap and prioritize patching those reachable from untrusted networks
- Restrict network access to SOAP endpoints to authenticated clients or trusted IP ranges until patches are applied
Patch Information
The PHP project released fixes in versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The patches add proper reference counting to the SOAP extension's deduplication map so that stored object pointers remain valid for the lifetime of the deserialization operation. See the PHP Security Advisory GHSA-85c2-q967-79q5 for upstream commit references.
Workarounds
- Disable the SOAP extension on servers that do not require it by removing or commenting the extension=soap line in php.ini
- Deploy WAF rules that reject SOAP requests containing apache:Map elements with duplicate child keys
- Place SOAP endpoints behind authentication and authorization layers to reduce unauthenticated attack surface
# Disable the SOAP extension where it is not required
sudo sed -i 's/^extension=soap/;extension=soap/' /etc/php/8.3/fpm/php.ini
sudo systemctl restart php8.3-fpm
# Verify the SOAP extension is no longer loaded
php -m | grep -i soap || echo "SOAP extension disabled"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
