CVEFinder.io

CVE-2026-6722

โ›” critical
๐Ÿ” Scan for this CVE
Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global mapย without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global mapย without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

CVSS Score
9.8
Critical
EPSS Score
0.7
Exploit Probability
Published Date
2026-05-10
First Seen: 2026-05-11
๐Ÿ“Š Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.6% of all 335,187 vulnerabilities in our database.

#31,628
Top 10% most severe
Severity Percentile
๐ŸŽฏ CISA SSVC Assessment Updated: May 11, 2026
๐Ÿ” Exploitation Status
None
No known exploits
โš™๏ธ Automatable
NO
Requires human interaction
๐Ÿ’ฅ Technical Impact
Total
Complete system compromise possible
๐Ÿ† Discovered By
brettgervasoni (reporter) Ilija Tovilo (remediation developer) Nora Dossche (remediation reviewer)
SSVC data provided by CISA
Last Modified 2026-07-02
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red
CWE IDs (Weakness Types)

๐Ÿ“ฆ Affected Products 4

๐Ÿ”— References 6

๐Ÿ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-14355 ๐Ÿ”ถ medium 5.6 0.3 In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algo... 2026-07-03
CVE-2025-14179 โ›” critical 9.8 0.3 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird ... 2026-05-10
CVE-2026-7262 โš ๏ธ high 7.5 0.8 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP serve... 2026-05-10
CVE-2026-7568 โš ๏ธ high 7.5 0.5 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() f... 2026-05-10
CVE-2026-6104 โ›” critical 9.1 0.5 In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is pas... 2026-05-10
CVE-2026-7263 โš ๏ธ high 7.5 0.4 In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()ย method may process the XML data incorrectly... 2026-05-10
These CVEs affect the same products