A high-severity Use-After-Free vulnerability in PHP’s SOAP extension tracked as CVE-2026-6722 allows attackers to exploit a stale memory reference via Apache-style SOAP map structures, potentially leading to full Remote Code Execution (RCE) on vulnerable servers. PHP has issued emergency patches across all supported branches in versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
CVE-2026-6722 is a CWE-416 (Use-After-Free) memory corruption vulnerability residing in the ext/soap module of PHP. The flaw was discovered by security researcher brettgervasoni and was publicly disclosed via GitHub Security Advisory GHSA-85c2-q967-79q5 by PHP core contributor iluuu1994 on May 7, 2026. The vulnerability carries a High severity rating and affects four major PHP version branches all of which are now patched.
PHP ext-soap Use-After-Free Vulnerability
The vulnerability lies within PHP’s internal SOAP object deduplication mechanism using the global SOAP_GLOBAL(ref_map) hash map. When parsing XML graphs in SOAP requests, the extension uses two critical internal functions in ext/soap/php_encoding.c:
soap_add_xml_ref() registers a PHP object in SOAP_GLOBAL(ref_map), keying it to the memory address of the corresponding libxml2 node. Critically, this operation does not increment the PHP object’s reference count, leaving the object vulnerable to premature deallocation.
soap_check_xml_ref() retrieves that stored reference and reassigns it to a zval (PHP’s internal value container). If a previously stored object has been freed in the intervening steps, soap_check_xml_ref() will operate on a dangling pointer, accessing memory that has already been released and potentially reallocated by the attacker.
The Apache SOAP map type (xsi:type="apache:Map") provides the exploitation vector by supporting duplicate <key> entries within the same map block.
When the ext-soap parser processes duplicate keys, it overwrites the first map entry with NULL releasing the PHP object that was registered in SOAP_GLOBAL(ref_map) while a second <href> reference still points to the now-freed memory.
The proof-of-concept published in the security advisory demonstrates the attack with a crafted SOAP envelope. The attack chain unfolds in five stages:
- A SOAP request containing an
apache:Mapblock is submitted with two items sharing the same key (somekey). - The first item’s
<value id="stale">causes theStalePHP object to be created and registered inSOAP_GLOBAL(ref_map)viasoap_add_xml_ref()without incrementing its reference count. - The second item with an empty
<value>overwrites the first map entry, decrementing the object’s reference count to zero and freeing the Stale object from memory. - The
SOAP_GLOBAL(ref_map)entry still holds the now-invalid pointer to the freed memory region, making it a stale reference. - The
<stale href="#stale"/>parameter in the same SOAP body triggerssoap_check_xml_ref(), which resolves the stale pointer, allowing an attacker to read or write to freed memory by spraying controlled heap data (plain PHP strings) into the vacated allocation.
The result is full attacker control over the freed memory segment, which translates directly into Remote Code Execution. The attack requires no authentication and only requires the ability to send a specially crafted SOAP request to a vulnerable PHP endpoint.
Affected PHP Versions
The following PHP branches are confirmed vulnerable to CVE-2026-6722:
- PHP < 8.2.31
- PHP < 8.3.31
- PHP < 8.4.21
- PHP < 8.5.6
These ranges cover a significant proportion of production PHP deployments globally, as many organizations run stable or long-term support branches without aggressive update cycles.
Patch Released
The PHP development team addressed this flaw in a targeted patch committing a two-part fix to ext/soap/php_encoding.c: the reference count of each PHP object is now incremented before being stored in SOAP_GLOBAL(ref_map), and a ZVAL_PTR_DTOR deallocator is configured to safely release those objects when SOAP processing completes.
This closes the window between object registration and potential deallocation that the Apache map’s overwrite mechanism exploited.
The patched versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6 were released on May 7, 2026, and collectively fix between 8 and 13 security bugs across the respective branches, making them critical security updates. RPM packages for Fedora and Enterprise Linux distributions are already available via Remi Collet’s repository.
Mitigation
System administrators and developers running PHP-based applications that expose SOAP endpoints should act immediately:
- Update PHP immediately to 8.2.31, 8.3.31, 8.4.21, or 8.5.6, depending on the active branch.
- Disable ext-soap if SOAP-based services are not required, reducing the attack surface entirely.
- Restrict SOAP endpoint access using WAF rules or IP allowlisting to limit exposure to crafted XML payloads while patching is underway.
- Audit SOAP-handling code for applications that process user-supplied SOAP envelopes, particularly those accepting Apache-map-type structures.
- Monitor server logs for abnormal SOAP request patterns involving duplicate map keys or unexpected
hrefreferences in SOAP bodies.
The PHP security team’s rapid response in coordinating a cross-branch patch demonstrates the maturity of PHP’s security disclosure process.
FAQ
Q1: What is CVE-2026-6722?
CVE-2026-6722 is a high-severity Use-After-Free vulnerability in PHP’s ext-soap extension that can be exploited via crafted Apache SOAP map messages to achieve Remote Code Execution.
Q2: Which PHP versions are affected by CVE-2026-6722?
All PHP versions below 8.2.31, 8.3.31, 8.4.21, and 8.5.6 are vulnerable, and upgrading to these patched releases is the only definitive fix.
Q3: Does exploiting this vulnerability require authentication?
No, an unauthenticated attacker can exploit CVE-2026-6722 by sending a specially crafted SOAP request to any exposed PHP SOAP endpoint running a vulnerable version.
Q4: How can organizations protect themselves before patching?
Organizations can temporarily disable the ext-soap PHP extension or deploy WAF rules to block Apache-map SOAP payloads with duplicate keys while an emergency patch is applied.
About the Author
