CVE-2026-7261 Overview
CVE-2026-7261 is a use-after-free vulnerability [CWE-416] in PHP's SoapServer implementation. The flaw exists when SoapServer is configured with SOAP_PERSISTENCE_SESSION, which persists the handler object across requests through session storage. When a SOAP request results in an error, the persistence logic frees the handler object while retaining a pointer to it. Subsequent access to that dangling pointer can trigger memory corruption, information disclosure, or process crashes. The vulnerability affects PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6.
Critical Impact
Remote attackers can trigger memory corruption in PHP processes running SOAP services with session persistence, potentially leading to information disclosure or service disruption.
Affected Products
- PHP 8.2.* before 8.2.31
- PHP 8.3.* before 8.3.31
- PHP 8.4.* before 8.4.21 and 8.5.* before 8.5.6
Discovery Timeline
- 2026-05-10 - CVE-2026-7261 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7261
Vulnerability Analysis
The vulnerability resides in PHP's SOAP extension when developers enable SOAP_PERSISTENCE_SESSION on a SoapServer instance. This persistence mode stores the handler object in $_SESSION so that state survives across multiple SOAP requests from the same client. The handler lifecycle is tightly coupled with the session lifecycle, requiring careful reference management during error conditions.
When a SOAP request triggers an error during processing, the cleanup path frees the handler object prematurely. However, the session storage still retains a pointer reference to the freed memory region. On the next request that touches the persisted handler, PHP dereferences the stale pointer, producing classic use-after-free behavior. Attackers can leverage this primitive to corrupt heap memory, leak adjacent object contents, or crash the worker process.
The issue carries confidentiality, integrity, and availability impact because freed memory may be reallocated to attacker-controlled data before the dangling pointer is reused.
Root Cause
The root cause is incorrect reference counting and lifecycle management of the persisted SOAP handler object during error handling paths. The error path releases the handler object without clearing the corresponding session reference, leaving a dangling pointer in session storage.
Attack Vector
An unauthenticated remote attacker sends crafted SOAP requests to a vulnerable PHP application that exposes a SoapServer configured with SOAP_PERSISTENCE_SESSION. The attacker first triggers an error condition during SOAP processing, then issues a follow-up request reusing the same session to access the freed handler. Successful exploitation depends on heap layout and timing, which is why the attack complexity reflects required attacker preparation.
No verified public proof-of-concept code is currently available. Refer to the PHP Security Advisory GHSA-m33r-qmcv-p97q for upstream technical context.
Detection Methods for CVE-2026-7261
Indicators of Compromise
- Unexpected segmentation faults or worker crashes in PHP-FPM or Apache mod_php processes handling SOAP traffic
- SOAP error responses immediately followed by additional requests reusing the same PHPSESSID cookie
- Anomalous session file contents referencing serialized SoapServer handler objects
Detection Strategies
- Inventory PHP applications and identify any code paths invoking SoapServer::setPersistence(SOAP_PERSISTENCE_SESSION)
- Monitor web server and PHP error logs for repeated SOAP fault entries correlated with process restarts
- Inspect HTTP traffic for SOAP requests producing errors followed by rapid re-requests against the same endpoint and session
Monitoring Recommendations
- Enable verbose logging in PHP error handlers and forward logs to a centralized analytics platform for correlation
- Track PHP worker crash counts and restart frequency as a leading indicator of memory corruption attempts
- Alert on outbound data anomalies from web servers hosting SOAP endpoints, which may indicate information disclosure
How to Mitigate CVE-2026-7261
Immediate Actions Required
- Upgrade PHP to a fixed release: 8.2.31, 8.3.31, 8.4.21, or 8.5.6 as applicable to your branch
- Audit application code for use of SOAP_PERSISTENCE_SESSION and disable it where not strictly required
- Restrict access to SOAP endpoints to trusted networks while patching is in progress
Patch Information
PHP maintainers have released patched versions across all supported branches. Apply the updates referenced in the PHP Security Advisory GHSA-m33r-qmcv-p97q. After upgrading, restart PHP-FPM, Apache, or any long-running PHP worker processes to ensure the patched binary is loaded.
Workarounds
- Change SoapServer persistence mode from SOAP_PERSISTENCE_SESSION to SOAP_PERSISTENCE_REQUEST to avoid cross-request handler reuse
- Place a web application firewall rule that blocks repeated SOAP requests sharing a session ID after a fault response
- Implement strict input validation upstream of the SOAP endpoint to reduce the probability of triggering server-side errors
# Verify installed PHP version against the fixed releases
php -v
# Debian/Ubuntu: upgrade PHP packages
sudo apt update && sudo apt install --only-upgrade php php-soap
# RHEL/Alma/Rocky: upgrade PHP packages
sudo dnf upgrade php php-soap
# Restart PHP-FPM workers after upgrade
sudo systemctl restart php-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
