Critical PHP SOAP Vulnerabilities Let Attackers Run Remote Code
Key Takeaways A critical cluster of vulnerabilities has been identified in PHP’s core string processing and ext-soap components. The most severe flaw, CVE-2026-6722, is a high-severity...
Key Takeaways
- A critical cluster of vulnerabilities has been identified in PHP’s core string processing and ext-soap components.
- The most severe flaw, CVE-2026-6722, is a high-severity use-after-free bug in the PHP SOAP extension, enabling unauthenticated Remote Code Execution (RCE).
- Multiple PHP versions are affected, including those before 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
- Patches are available and have been integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
A significant set of vulnerabilities has been uncovered within PHP’s fundamental string processing mechanisms and the widely used ext-soap components. This discovery places numerous web servers at substantial risk, potentially leading to complete system compromise if left unaddressed.
Table Of Content
While the SOAP extension has a documented history of memory corruption issues, this latest finding escalates the threat considerably, enabling unauthenticated Remote Code Execution (RCE) capabilities for attackers.
Security teams, including those at GitHub, are actively engaged with PHP maintainers in an urgent effort to deploy essential patches. This rapid response aims to prevent malicious actors from exploiting these flaws and converting vulnerable servers into compromised assets.
The Critical RCE Flaw: CVE-2026-6722
The most severe of the identified vulnerabilities, tracked as CVE-2026-6722, is a high-severity use-after-free flaw residing within the PHP SOAP extension. This particular vulnerability stems from how the extension manages object deduplication within the XML graph, specifically when utilizing id and href attributes.
During the parsing of an XML document, the SOAP extension temporarily stores plain PHP objects in a global hash map. Crucially, it fails to correctly increment their reference count. This oversight allows an attacker, by manipulating the Apache map mechanism, to intentionally free these objects by overwriting existing map entries. This memory manipulation paves the way for dangerous memory corruption.
As demonstrated by security researcher Brett Gervasoni, an attacker can gain significant control over this freed memory. By subsequently allocating plain strings in the newly freed memory segment, an attacker can effectively escalate this memory corruption into full Remote Code Execution.
Additional PHP SOAP and Core Flaws
Beyond the critical RCE vulnerability, the PHP security team, spearheaded by developer iluuu1994, has addressed four additional moderate-severity vulnerabilities. These fixes were primarily contributed via GitHub:
- CVE-2026-7261: Another Use-After-Free vulnerability within the SoapServer, triggered when handling session-persisted objects. If a header node’s handler function encounters an error or exception, the object is incorrectly freed but remains written to session storage, creating a window for exploitation.
- CVE-2026-7262: A NULL pointer dereference vulnerability that occurs during the decoding of Apache: Map nodes. Attackers can exploit this by sending a specially crafted XML request that omits the expected value node, consistently leading to a crash of the PHP process and a Denial of Service.
- CVE-2026-7258: An out-of-bounds read flaw found in the native
urldecode()function. This issue arises from a missing type cast when evaluating hexadecimal characters, which can result in negative byte values and cause a segmentation fault on certain platforms, such as NetBSD. - CVE-2026-6104: Affecting the mbstring extension, this vulnerability involves a global buffer overrun when parsing encoding names that contain embedded NUL bytes. While primarily an information disclosure bug that allows reading beyond intended memory bounds, it is not directly exploitable for code execution.
Affected Versions and Patches
These vulnerabilities impact multiple actively supported PHP branches. The SOAP-related flaws and the urldecode() bug affect PHP versions prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability specifically impacts versions before 8.4.21 and 8.5.6.
Patches, contributed on GitHub by iluuu1994, iliaal, and ndossche, have now been integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Upgrading to these patched versions resolves the identified memory mishandling and out-of-bounds read issues, thereby protecting servers against both denial-of-service and remote-code-execution attacks.
What You Should Do
- Immediate Update: Administrators are strongly advised to update their PHP environments to the latest patched versions as soon as possible.
- Prioritize SOAP Environments: Organizations utilizing the SOAP extension must prioritize deploying these patches to adequately protect critical infrastructure.
- Verify Patch Application: After updating, verify that the patches have been successfully applied and that your PHP environment is running the secure versions (8.2.31, 8.3.31, 8.4.21, or 8.5.6).
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.