CVE-2026-6722 — Vulnetix

CVE-2026-6722 PUBLISHED CVSS 9.5 CRITICAL

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

EPSS 0.35% · 57.9th percentile

Risk Scores

CVSS v4.0

9.5

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red

EPSS Score

0.35%

57.9th percentile

Affected Products

Vendor	Product	Versions
PHP Group	PHP	8.2., 8.3., 8.4.*

Timeline

May 8, 2026 PoC Published
May 8, 2026 PoC Published
May 10, 2026 EPSS Score
May 10, 2026 CVE Published
May 10, 2026 PoC Published
May 10, 2026 PoC Published
May 11, 2026 Security Advisory
May 12, 2026 CVE Updated
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score

References

https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5 vendor-advisory

Open in Interactive Console →