Use-after-Free Vulnerability in PHP SOAP Server by PHP
CVE-2026-7261

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-7261?

In specific versions of PHP, the SoapServer's handling of persistent session objects can lead to serious memory management issues. When configured with SOAP_PERSISTENCE_SESSION, if a SOAP request encounters an error, the process fails to manage the persistence correctly, resulting in a situation where the handler object may be freed while a pointer to it remains. This flawed management may result in memory corruption, potential information leaks, or crashes, impacting the confidentiality, integrity, and availability of the system.

Affected Version(s)

PHP 8.2.*

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-m...

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Ilia Alshanetsky

Ilija Tovilo

CVE-2026-7261 Data

JSON