Vulnerability News
Take action: If you run PHP on your web servers, update immediately to version 8.2.31, 8.3.31, 8.4.21, or 8.5.6. If you can’t patch right away, disable the SOAP extension as a temporary measure until the update is applied.
Learn More
PHP maintainers released emergency patches for five vulnerabilities, primarily affecting the SOAP extension and core string processing components. These flaws range from unauthenticated remote code execution (RCE) to denial-of-service (DoS) and information disclosure.
Vulnerabilities summary:
- CVE-2026-6722 (CVSS score 9.8) - A use-after-free vulnerability in the PHP SOAP extension that occurs when deduplicating objects in an XML graph using
idandhrefattributes. The extension fails to increment the reference count for objects stored in the global hash map, allowing attackers to use the Apache map mechanism to overwrite entries and free objects. By allocating plain strings, an attacker can gain control over the freed memory to run arbitrary code. - CVE-2026-7261 (CVSS score 9.8) - A use-after-free vulnerability in the
SoapServercomponent when handling session-persisted objects. If a header node’s handler function fails or throws an exception, the object is incorrectly freed but still written to session storage. This allows an attacker to potentially manipulate the freed memory segment during session writes to achieve code execution. - CVE-2026-6104 (CVSS score 9.1) - A global buffer over-read in the
mbstringextension triggered when parsing encoding names containing embedded NUL bytes. The mbfl_name2encoding_ex function matches strings up to the NUL byte but then reads beyond the intended buffer bounds. This flaw allows attackers to disclose sensitive information from adjacent global memory. - CVE-2026-7262 (CVSS score 7.5) - A NULL pointer dereference vulnerability in the SOAP
apache:Mapdecoder that occurs when a value node is missing from a request. The decoder incorrectly rechecks the key node instead of the value node, leading to a process crash when accessing properties. Attackers can exploit this to cause a consistent denial-of-service state on the target server. - CVE-2026-7258 (CVSS score 7.5) - An out-of-bounds read in the native
urldecode()function caused by a missing type cast when evaluating hexadecimal characters. On specific platforms like NetBSD, negative byte values lead to sign extension and subsequent segmentation faults. This allows remote attackers to crash the PHP process by sending specially crafted URL-encoded strings.
Exploiting these vulnerabilities allows unauthenticated attackers to take full control of web servers or disrupt service availability. The RCE flaws are especially dangerous as they do not require valid credentials and use standard SOAP processing logic.
The vulnerabilities impact PHP branches prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
The SOAP and urldecode flaws affect all these branch but the mbstring buffer over-read impacts versions before 8.4.21 and 8.5.6.
Administrators should update to PHP versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6. Organizations unable to patch immediately should consider disabling the SOAP extension or implementing strict input validation for XML and URL-encoded data.
Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks || Critical PHP SOAP Extension Flaw Enables Remote Code Execution Attacks || PHP SOAP vulnerability || Critical PHP SOAP Extension Vulnerabilities Enable Remote Code Execution