Home · Briefs · CTI Daily Brief — 2026-05-11
CVE-2026-6722 — PHP SOAP extension use-after-free in `SOAP_GLOBAL(ref_map)`, CVSS 9.5 (with companion CVE-2026-7261, CVE-2026-7262)
From CTI Daily Brief — 2026-05-11 · published 2026-05-11
The PHP project published GHSA-85c2-q967-79q5 on 2026-05-07 disclosing a CWE-416 use-after-free in the ext-soap object-deduplication path (PHP GHSA-85c2-q967-79q5). The bug lives in the libxml2-node-keyed SOAP_GLOBAL(ref_map) hash that soap_add_xml_ref() populates when deserialising a SOAP envelope's references; the helper stores raw PHP object pointers without incrementing reference counts. A SOAP envelope carrying an apache:Map node with duplicate keys causes the second hash insertion to free the original PHP object while a stale pointer remains; subsequent href resolutions return the freed memory address, which the allocator may have already filled with attacker-controlled bytes. php.watch confirms the 2026-05-07 release date and the CVE-to-GHSA mapping (php.watch — PHP 8.5.6 release, 2026-05-07). Affected versions are PHP 8.2.0 through 8.5.5; fixes shipped in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (PHP 8 ChangeLog). Severity labels split between primaries: GHSA-85c2-q967-79q5 labels severity "High"; NVD's CVSS 4.0 vector for CVE-2026-6722 scores 9.5, which the CVSS-4.0 rubric classifies as Critical. The same release fixes companion memory-management defects CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q, CVSS 4.0 6.3 Moderate) and CVE-2026-7262 (NULL dereference in Apache map NULL check — GHSA-hmxp-6pc4-f3vv, CVSS 4.0 6.3 Moderate). No public proof-of-concept and no in-the-wild exploitation are reported as of this run; the CVSS-4.0 score is 9.5 because a SoapServer exposed on a public endpoint is reachable without authentication (SOAP endpoints typically do not require session cookies) and the impact is arbitrary code execution as the PHP worker.
Inclusion is discretionary under PD-11: NVD CVSS 4.0 records the severity as 9.5 (Critical) on a pre-auth network-reachable code path of a runtime present in essentially every Internet-exposed PHP application; the GHSA primary labels severity High. No public proof-of-concept has been released and no in-the-wild exploitation has been reported. The inclusion gate "ENISA EUVD entry with CVSS 9.0–10.0" applies in spirit (ENISA EUVD API returned empty body across every bridge subcommand this run — see § 7 fetch_failures); included for forward-looking patch prioritisation given the breadth of the attack surface. § 5 covers detection / hardening.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-6722 | PHP 8.2.0–8.5.5 (ext-soap, SOAP_GLOBAL(ref_map)) |
9.5 (CVSS 4.0) | not yet scored | No | No (no ITW confirmed) | 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (2026-05-07) | PHP GHSA |
| CVE-2026-7261 | PHP 8.2.0–8.5.5 (ext-soap, persistence session) | 6.3 | not yet scored | No | No | 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 | PHP GHSA-m33r-qmcv-p97q |
| CVE-2026-7262 | PHP 8.2.0–8.5.5 (ext-soap, apache map NULL deref) | 6.3 | not yet scored | No | No | 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 | PHP GHSA-hmxp-6pc4-f3vv |