Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Home/CyberSecurity News/Critical PHP SOAP Vulnerabilities Let Attackers Run Remote Code
CyberSecurity News

Critical PHP SOAP Vulnerabilities Let Attackers Run Remote Code

Key Takeaways A critical cluster of vulnerabilities has been identified in PHP’s core string processing and ext-soap components. The most severe flaw, CVE-2026-6722, is a high-severity...

Emy Elsamnoudy
Emy Elsamnoudy
May 12, 2026 3 Min Read
42 0

Key Takeaways

  • A critical cluster of vulnerabilities has been identified in PHP’s core string processing and ext-soap components.
  • The most severe flaw, CVE-2026-6722, is a high-severity use-after-free bug in the PHP SOAP extension, enabling unauthenticated Remote Code Execution (RCE).
  • Multiple PHP versions are affected, including those before 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
  • Patches are available and have been integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.

A significant set of vulnerabilities has been uncovered within PHP’s fundamental string processing mechanisms and the widely used ext-soap components. This discovery places numerous web servers at substantial risk, potentially leading to complete system compromise if left unaddressed.

Table Of Content

  • Key Takeaways
  • The Critical RCE Flaw: CVE-2026-6722
  • Additional PHP SOAP and Core Flaws
  • Affected Versions and Patches
  • What You Should Do

While the SOAP extension has a documented history of memory corruption issues, this latest finding escalates the threat considerably, enabling unauthenticated Remote Code Execution (RCE) capabilities for attackers.

Security teams, including those at GitHub, are actively engaged with PHP maintainers in an urgent effort to deploy essential patches. This rapid response aims to prevent malicious actors from exploiting these flaws and converting vulnerable servers into compromised assets.

The Critical RCE Flaw: CVE-2026-6722

The most severe of the identified vulnerabilities, tracked as CVE-2026-6722, is a high-severity use-after-free flaw residing within the PHP SOAP extension. This particular vulnerability stems from how the extension manages object deduplication within the XML graph, specifically when utilizing id and href attributes.

During the parsing of an XML document, the SOAP extension temporarily stores plain PHP objects in a global hash map. Crucially, it fails to correctly increment their reference count. This oversight allows an attacker, by manipulating the Apache map mechanism, to intentionally free these objects by overwriting existing map entries. This memory manipulation paves the way for dangerous memory corruption.

As demonstrated by security researcher Brett Gervasoni, an attacker can gain significant control over this freed memory. By subsequently allocating plain strings in the newly freed memory segment, an attacker can effectively escalate this memory corruption into full Remote Code Execution.

Additional PHP SOAP and Core Flaws

Beyond the critical RCE vulnerability, the PHP security team, spearheaded by developer iluuu1994, has addressed four additional moderate-severity vulnerabilities. These fixes were primarily contributed via GitHub:

  • CVE-2026-7261: Another Use-After-Free vulnerability within the SoapServer, triggered when handling session-persisted objects. If a header node’s handler function encounters an error or exception, the object is incorrectly freed but remains written to session storage, creating a window for exploitation.
  • CVE-2026-7262: A NULL pointer dereference vulnerability that occurs during the decoding of Apache: Map nodes. Attackers can exploit this by sending a specially crafted XML request that omits the expected value node, consistently leading to a crash of the PHP process and a Denial of Service.
  • CVE-2026-7258: An out-of-bounds read flaw found in the native urldecode() function. This issue arises from a missing type cast when evaluating hexadecimal characters, which can result in negative byte values and cause a segmentation fault on certain platforms, such as NetBSD.
  • CVE-2026-6104: Affecting the mbstring extension, this vulnerability involves a global buffer overrun when parsing encoding names that contain embedded NUL bytes. While primarily an information disclosure bug that allows reading beyond intended memory bounds, it is not directly exploitable for code execution.

Affected Versions and Patches

These vulnerabilities impact multiple actively supported PHP branches. The SOAP-related flaws and the urldecode() bug affect PHP versions prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability specifically impacts versions before 8.4.21 and 8.5.6.

Patches, contributed on GitHub by iluuu1994, iliaal, and ndossche, have now been integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Upgrading to these patched versions resolves the identified memory mishandling and out-of-bounds read issues, thereby protecting servers against both denial-of-service and remote-code-execution attacks.

What You Should Do

  • Immediate Update: Administrators are strongly advised to update their PHP environments to the latest patched versions as soon as possible.
  • Prioritize SOAP Environments: Organizations utilizing the SOAP extension must prioritize deploying these patches to adequately protect critical infrastructure.
  • Verify Patch Application: After updating, verify that the patches have been successfully applied and that your PHP environment is running the secure versions (8.2.31, 8.3.31, 8.4.21, or 8.5.6).

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Magecart Hackers Use Google Tag Manager for Credit Card Skimmers

Next Post

Critical Vulnerability in Claude Chrome Extension Exposes Gmail, Drive Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us