A serious cluster of vulnerabilities has been uncovered in PHP’s core string processing and ext-soap components, putting numerous web servers at immediate risk of total takeover.
While the SOAP extension has a notorious history of memory corruption flaws, this latest discovery crosses the red line into unauthenticated Remote Code Execution (RCE).
GitHub security teams are now locked in a race against time, as PHP maintainers deploy emergency patches to prevent attackers from turning vulnerable servers into compromised assets.
The most critical vulnerability, tracked as CVE-2026-6722, is a high-severity use-after-free flaw in the PHP SOAP extension.
This vulnerability emerges from how the extension handles deduplicating objects within the XML graph using id and href attributes.
Additional PHP SOAP Flaws
When parsing an XML document, the extension stores plain PHP objects in a global hash map but critically fails to increment their reference count.
By leveraging the Apache map mechanism, an attacker can intentionally free these objects by overwriting existing map entries.
This memory manipulation allows the attacker to reuse the freed memory segment, leading to dangerous memory corruption.
As demonstrated by security researcher Brett Gervasoni, an attacker can highly control this freed memory by subsequently allocating plain strings, ultimately escalating the flaw into full Remote Code Execution.
Alongside the RCE flaw, the PHP security team addressed four additional moderate-severity vulnerabilities through GitHub.
Developer iluuu1994 spearheaded remediation efforts for all the newly disclosed bugs.
CVE-2026-7261 involves another Use-After-Free issue in the SoapServer when handling session-persisted objects
If a header node’s handler function fails or throws an exception, the object is incorrectly freed but still written to session storage.
CVE-2026-7262 is a NULL pointer dereference vulnerability triggered during the decoding of Apache: Map nodes.
By sending a specially crafted XML request missing the value node, attackers can consistently crash the PHP process, resulting in a Denial of Service.
CVE-2026-7258 exposes an out-of-bounds read in the native urldecode() function.
Due to a missing type cast when evaluating hexadecimal characters, negative byte values can cause a segmentation fault on some platforms, such as NetBSD.
CVE-2026-6104 affects the mbstring extension: parsing encoding names containing embedded NUL bytes causes a global buffer overrun.
This information disclosure bug can read beyond intended bounds but is not directly exploitable for code execution.
These vulnerabilities affect multiple actively supported PHP branches for the SOAP-related flaws and the urldecode() bug.
The affected releases include PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability strictly impacts versions before 8.4.21 and 8.5.6.
Administrators are strongly advised to update their PHP environments immediately.
Patches contributed on GitHub by iluuu1994, iliaal, and ndossche are now integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
Upgrading to these patched versions securely resolves the memory mishandling and out-of-bounds read issues, defending the server against both denial-of-service and remote-code-execution attacks.
Organizations using the SOAP extension must prioritize deploying this patch to protect critical infrastructure adequately.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
