CVE-2026-6722

Published May 10, 2026

Last updated 12 days ago

CVSS critical 9.5

Overview

Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Source
security@php.net
NVD status
Analyzed
Products
php

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.5
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@php.net
CWE-416

Social media

Hype score
Not currently trending

  1. [긴급] PHP 원격 코드 실행(RCE) 및 Use-After-Free(UAF) 취약점(CVE-2026-6722) 패치 설치 권고 (출처 : Virus My.. | 블로그) https://t.co/VZwvxuYOpN

    @virusmyths

    17 May 2026

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-6722: 🚨 PHP SOAP RCE IS ANOTHER REMINDER WHY OLD INTERNET INFRASTRUCTURE IS BREAKING — AND WHY $ICP BY @dfinity MATTERS ♾️ Another serious server-side vulnerability has landed. This time it is PHP. The critical issue is CVE-2026-6722, a use-after-free…

    @lyrie_ai

    17 May 2026

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. kusanagi-php83 Module Update 8.3.31-1 https://t.co/0x80HohKZ5 KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.3.31-1 This update includes support for vulnerability(CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261,...

    @kusanagi_saya

    13 May 2026

    277 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. kusanagi-php83 Module Update 8.3.31-1.el9 https://t.co/wDkcoX52Wl KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.3.31-1.el9 This update includes support for vulnerability(CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722,...

    @kusanagi_saya

    13 May 2026

    251 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. kusanagi-php82 Module Update 8.2.31-1 https://t.co/YxuOm7OObb KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.2.31-1 This update includes support for vulnerability(CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261,...

    @kusanagi_saya

    12 May 2026

    203 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. kusanagi-php82 Module Update 8.2.31-1.el9 https://t.co/qwCc7UNVWk KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.2.31-1.el9 This update includes support for vulnerability(CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722,...

    @kusanagi_saya

    12 May 2026

    196 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.CVE-2026-7263
  2. In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.CVE-2026-6104
  3. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.CVE-2026-7258
  4. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.CVE-2026-6735
  5. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().CVE-2026-7259

References

Sources include official advisories and independent security research.