CVE-2026-6722 CRITICAL

CVE-2026-6722: Use-After-Free in SOAP using Apache map

Vendor Php Group

Product PHP

Weakness CWE-416

Published May 10, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

9.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red

What the vulnerability does

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

Key dates

Disclosure timeline

May 10, 2026 CVE published

May 12, 2026 Record updated

Identifiers

CVE CVE-2026-6722

CWE CWE-416

CVSS 9.5 / CRITICAL

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.31

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.31

Vendor Php Group

Product PHP

Affected ≥ 8.4.* and < 8.4.21

Vendor Php Group

Product PHP

Affected ≥ 8.5.* and < 8.5.6