Critical severity9.8NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2026-7261

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

Affected products

PHP/Php Srcinferred
Range: >=8.2.0,<8.2.31, >=8.3.0,<8.3.31, >=8.4.0,<8.4.21, >=8.5.0,<8.5.6
PHP/PHP
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Range: >=8.2.0,<8.2.31

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97qnvdVendor Advisory

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000