PatchSiren cyber security CVE debrief
CVE-2026-7261 Unknown Vendor CVE debrief
CVE-2026-7261 is a PHP vulnerability in SoapServer session persistence that can turn a SOAP request error into a use-after-free condition. The issue affects PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 when SOAP_PERSISTENCE_SESSION is enabled. Because the handler object is persisted across requests via session storage, incorrect cleanup on error can leave a dangling pointer to freed memory. The reported impact includes memory corruption, information disclosure, and process crashes.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Operators and developers running PHP SOAP services that use SoapServer with SOAP_PERSISTENCE_SESSION, especially if the service is reachable from untrusted clients. Also relevant to application teams, hosting providers, and distribution maintainers responsible for patching PHP runtimes.
Technical summary
NVD and the PHP security advisory reference describe a session-persistence bug in SoapServer. Under SOAP_PERSISTENCE_SESSION, the handler object is stored across requests. If a SOAP request returns an error, persistence cleanup is handled incorrectly: the object can be freed while a pointer to it remains in use. NVD maps the weakness to CWE-416 (Use After Free). The CVSS 4.0 vector in the supplied source indicates network attack conditions with low attack complexity and potential impacts to confidentiality, integrity, and availability.
Defensive priority
Medium-to-high. Prioritize patching any PHP deployment that exposes SOAP services and uses SOAP_PERSISTENCE_SESSION, since the bug can lead to corruption or crashes even without authentication.
Recommended defensive actions
- Upgrade PHP to a fixed release: 8.2.31, 8.3.31, 8.4.21, or 8.5.6, depending on your branch.
- Inventory applications that use SoapServer with SOAP_PERSISTENCE_SESSION and treat them as affected until verified otherwise.
- If immediate upgrade is not possible, disable or avoid SOAP_PERSISTENCE_SESSION where operationally feasible.
- Test SOAP endpoints for error-handling behavior after patching to confirm the fix does not break service logic.
- Monitor PHP service logs and crash reports for unexpected faults around SOAP request failures.
- Coordinate with package maintainers or platform vendors if you rely on bundled PHP builds.
Evidence notes
This debrief is based on the supplied CVE description, NVD metadata, and the referenced PHP advisory URL. The vulnerability is published as CVE-2026-7261 on 2026-05-10. NVD marks the record as received and associates CWE-416. The advisory URL from [email protected] is cited in NVD, but no additional advisory text was provided in the source corpus, so no extra product-specific details are asserted beyond the CVE description.
Official resources
-
CVE-2026-7261 CVE record
CVE.org
-
CVE-2026-7261 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-7261 was published on 2026-05-10. No KEV entry was supplied in the timeline, and this debrief does not assert active exploitation. The analysis is limited to the provided CVE/NVD metadata and referenced official advisory link.