Object Deduplication Vulnerability in PHP SOAP Extension by The PHP Group
CVE-2026-6722

9.5CRITICAL

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-6722?

The PHP SOAP extension contains a vulnerability in its object deduplication mechanism across several PHP versions. This issue arises because pointers to PHP objects are stored in a global map without properly managing their reference counts. In scenarios where duplicate keys exist, the mechanism replaces the original entry with a new one, inadvertently freeing the original object while a stale pointer remains. This leads to a use-after-free condition whereby an adversary controlling the SOAP request body can exploit the vulnerability, potentially leading to remote code execution through dereferencing a dangling pointer. This underscores the importance of keeping PHP versions updated to safeguard against such vulnerabilities.

Affected Version(s)

PHP 8.2.*

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-8...

vendor-advisory

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

brettgervasoni

Ilija Tovilo

Nora Dossche

CVE-2026-6722 Data

JSON