Critical severity9.8NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2026-6722

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

Affected products

PHP/Php Srcinferred
Range: >=8.2,<8.2.31,>=8.3,<8.3.31,>=8.4,<8.4.21,>=8.5,<8.5.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5nvdVendor Advisory

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000