PatchSiren cyber security CVE debrief
CVE-2026-6722 Unknown Vendor CVE debrief
CVE-2026-6722 is a critical PHP vulnerability in the SOAP extension’s object deduplication path. According to the published description, stale pointers can remain in a global map without proper reference counting, leading to a use-after-free when duplicate SOAP map entries and href references are processed. In affected releases, attacker-controlled SOAP request bodies may be able to trigger remote code execution. The issue was published on 2026-05-10 and is rated CVSS 9.5 (Critical).
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- CRITICAL 9.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Administrators and developers running affected PHP versions with the SOAP extension enabled, especially on internet-facing applications or services that accept untrusted SOAP requests. PHP package maintainers and platform teams should also prioritize remediation.
Technical summary
The reported flaw affects PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6. The issue is in SOAP object deduplication: the extension stores PHP object pointers in a global map without incrementing reference counts. When duplicate keys appear in an apache:Map node, the second entry can overwrite the first in a temporary result map, freeing the original object while the stale pointer remains referenced. A later href lookup can copy the dangling pointer into the result, creating a use-after-free condition that may be exploitable for RCE when the attacker controls the SOAP payload.
Defensive priority
Immediate. Treat as a high-priority patch for any exposed or SOAP-reliant PHP deployment; upgrade to a fixed PHP release before the affected version thresholds and reduce exposure of SOAP endpoints until patched.
Recommended defensive actions
- Upgrade PHP to a fixed release: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later, depending on your branch.
- Inventory systems that have the SOAP extension enabled and identify any endpoints that process untrusted SOAP requests.
- Prioritize internet-facing applications and any services that accept externally supplied SOAP bodies for immediate remediation.
- Apply vendor or distribution security updates as soon as they are available and verify package versions after patching.
- Temporarily limit access to SOAP endpoints through network controls or authentication where feasible until remediation is complete.
- Monitor PHP advisories and security mailing list updates for any follow-on guidance from the PHP project.
Evidence notes
The vulnerability details, affected version ranges, and exploitation impact come from the supplied CVE description and the referenced PHP security advisory (GHSA-85c2-q967-79q5). NVD metadata in the supplied corpus records the CVE as received on 2026-05-10 and classifies it as CWE-416 (Use After Free).
Official resources
-
CVE-2026-6722 CVE record
CVE.org
-
CVE-2026-6722 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published on 2026-05-10 via the PHP security advisory referenced by NVD and recorded in the CVE/NVD metadata on the same date.