CVE-2026-6722
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global mapΒ without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 8.4.21-1~deb13u1 |
| sid | Fixed | 8.4.21-1 |
| forky | Fixed | 8.4.21-1 |
| bullseye | Fixed | 7.4.33-1+deb11u11 |
| bookworm | Fixed | 8.2.31-1~deb12u1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| php | php | {"startIncluding":"8.2.0","endExcluding":"8.2.31"} | 8.2.31 |
References
CWEs
CWE-416
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.