ctipilot.ch

PHP SOAP extension use-after-free in SOAP_GLOBAL(ref_map) via apache:Map duplicate-key insertion (CVSS 9.5, pre-auth, all 8.x, fixed 2026-05-07)

cve · CVE-2026-6722

Coverage timeline
4
first 2026-05-11 → last 2026-05-17
Briefs
2
2 distinct
Sources cited
875
267 hosts
Sections touched
4
action_items, deep_dive, trending_vulns
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-17CTI Weekly Summary — 2026-W20 (May 11 – May 17, 2026)
    weekly_summaryConsolidated in weekly summary for 2026-W20
  2. 2026-05-11CTI Daily Brief — 2026-05-11
    trending_vulnsFirst coverage. CWE-416 in PHP ext-soap SOAP_GLOBAL(ref_map): duplicate apache:Map keys overwrite the deduplication map without refcounting, freeing the original PHP object while a stale pointer remains; subsequent href references retrieve the freed memory address. Affects PHP 8.2.0 through 8.5.5; fixed in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 on 2026-05-07. Companion CVE-2026-7261 and CVE-2026-7262. No public PoC and no ITW yet. Deep dive in § 5.
  3. 2026-05-11CTI Daily Brief — 2026-05-11
    deep_diveDeep dive: vulnerable function soap_add_xml_ref(); detection class (WAF rule on duplicate apache:Map keys; php-fpm SIGSEGV monitoring; unexpected child processes from php-fpm parents); hardening (patch, phpdismod soap on hosts that do not need it, WAF rule for unused-but-required SOAP endpoints, mTLS for SOAP integration partners).
  4. 2026-05-11CTI Daily Brief — 2026-05-11
    action_itemsAction item: patch PHP across web-facing infrastructure; phpdismod soap where unused; WAF block on apache:Map duplicate-key envelopes; rebuild container base images against patched minors.

Where this entity is cited

  • trending_vulns1
  • deep_dive1
  • action_items1
  • weekly_summary1

Source distribution

  • thehackernews.com93 (11%)
  • bleepingcomputer.com74 (8%)
  • securityweek.com43 (5%)
  • github.com27 (3%)
  • helpnetsecurity.com27 (3%)
  • security-hub.ncsc.admin.ch25 (3%)
  • microsoft.com14 (2%)
  • msrc.microsoft.com14 (2%)
  • other558 (64%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (875)

Items in briefs about PHP SOAP extension use-after-free in SOAP_GLOBAL(ref_map) via apache:Map duplicate-key insertion (CVSS 9.5, pre-auth, all 8.x, fixed 2026-05-07) (4)

CVE-2026-6722 — PHP SOAP UAF in `SOAP_GLOBAL(ref_map)` (with companions CVE-2026-7261 / CVE-2026-7262)

From CTI Weekly Summary — 2026-W20 (May 11 – May 17, 2026) · published 2026-05-17 · view item permalink →

PHP SOAP-extension use-after-free in SOAP_GLOBAL(ref_map), CVSS 9.5, with two related companions (CVE-2026-7261 and CVE-2026-7262, both SOAP-class, CVSS 6.3 each). Patched on 2026-05-07 in PHP 8.5.6 and equivalents across maintained 8.4 / 8.3 / 8.2 branches per the official PHP GHSA. No ITW exploitation at week-end; daily 2026-05-11 recommends explicit patch validation for any web-facing PHP infrastructure with SOAP enabled (daily 2026-05-11; PHP GHSA-85c2-q967-79q5).

CVE-2026-6722 — PHP SOAP extension use-after-free in `SOAP_GLOBAL(ref_map)`, CVSS 9.5 (with companion CVE-2026-7261, CVE-2026-7262)

From CTI Daily Brief — 2026-05-11 · published 2026-05-11 · view item permalink →

The PHP project published GHSA-85c2-q967-79q5 on 2026-05-07 disclosing a CWE-416 use-after-free in the ext-soap object-deduplication path (PHP GHSA-85c2-q967-79q5). The bug lives in the libxml2-node-keyed SOAP_GLOBAL(ref_map) hash that soap_add_xml_ref() populates when deserialising a SOAP envelope's references; the helper stores raw PHP object pointers without incrementing reference counts. A SOAP envelope carrying an apache:Map node with duplicate keys causes the second hash insertion to free the original PHP object while a stale pointer remains; subsequent href resolutions return the freed memory address, which the allocator may have already filled with attacker-controlled bytes. php.watch confirms the 2026-05-07 release date and the CVE-to-GHSA mapping (php.watch — PHP 8.5.6 release, 2026-05-07). Affected versions are PHP 8.2.0 through 8.5.5; fixes shipped in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (PHP 8 ChangeLog). Severity labels split between primaries: GHSA-85c2-q967-79q5 labels severity "High"; NVD's CVSS 4.0 vector for CVE-2026-6722 scores 9.5, which the CVSS-4.0 rubric classifies as Critical. The same release fixes companion memory-management defects CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q, CVSS 4.0 6.3 Moderate) and CVE-2026-7262 (NULL dereference in Apache map NULL check — GHSA-hmxp-6pc4-f3vv, CVSS 4.0 6.3 Moderate). No public proof-of-concept and no in-the-wild exploitation are reported as of this run; the CVSS-4.0 score is 9.5 because a SoapServer exposed on a public endpoint is reachable without authentication (SOAP endpoints typically do not require session cookies) and the impact is arbitrary code execution as the PHP worker.

Inclusion is discretionary under PD-11: NVD CVSS 4.0 records the severity as 9.5 (Critical) on a pre-auth network-reachable code path of a runtime present in essentially every Internet-exposed PHP application; the GHSA primary labels severity High. No public proof-of-concept has been released and no in-the-wild exploitation has been reported. The inclusion gate "ENISA EUVD entry with CVSS 9.0–10.0" applies in spirit (ENISA EUVD API returned empty body across every bridge subcommand this run — see § 7 fetch_failures); included for forward-looking patch prioritisation given the breadth of the attack surface. § 5 covers detection / hardening.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-6722 PHP 8.2.0–8.5.5 (ext-soap, SOAP_GLOBAL(ref_map)) 9.5 (CVSS 4.0) not yet scored No No (no ITW confirmed) 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (2026-05-07) PHP GHSA
CVE-2026-7261 PHP 8.2.0–8.5.5 (ext-soap, persistence session) 6.3 not yet scored No No 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 PHP GHSA-m33r-qmcv-p97q
CVE-2026-7262 PHP 8.2.0–8.5.5 (ext-soap, apache map NULL deref) 6.3 not yet scored No No 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 PHP GHSA-hmxp-6pc4-f3vv

Hardening and mitigation

From CTI Daily Brief — 2026-05-11 · published 2026-05-11 · view item permalink →

  • Patch is the primary mitigation: upgrade to PHP 8.2.31, 8.3.31, 8.4.21 or 8.5.6 (all released 2026-05-07). Inventory PHP versions across web-facing infrastructure, including container base images that may have pinned older PHP minors.
  • If patching is delayed: disable the SOAP extension where unused — phpdismod soap (Debian/Ubuntu), remove extension=soap from php.ini (RHEL family), or rebuild custom Docker images without the extension. Restart PHP-FPM after the change.
  • Where SOAP must remain available: front the SoapServer endpoint with a WAF rule blocking duplicate-key apache:Map patterns and unusually deep XML nesting, restrict the endpoint to known consumer IP ranges via firewall, and require mutual-TLS for the SOAP endpoint where the integration partner supports it.
  • Defence-in-depth: PHP-FPM workers should run with the minimum filesystem privileges needed; open_basedir restrictions; disable_functions should include exec, system, shell_exec, passthru, proc_open, popen; SELinux or AppArmor confinement of the PHP worker process limits the blast radius of any successful RCE.
  • Audit your SoapServer instantiations: grep -rn 'new SoapServer' /var/www/ to enumerate every endpoint; document which are exposed publicly versus internally; remove or restrict the publicly-exposed ones unless business-justified.

Patch PHP across all web-facing infrastructure

From CTI Daily Brief — 2026-05-11 · published 2026-05-11 · view item permalink →

Upgrade every PHP 8.x installation to 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (released 2026-05-07). Highest priority on Internet-exposed SoapServer endpoints — integration handlers, legacy ERP middleware, e-government forms-processing services. Inventory container base images (php:8.x-fpm, php:8.x-apache) and rebuild against patched minors. Where the patch cannot be applied immediately, phpdismod soap (or equivalent) on hosts that do not need SOAP, and front any remaining SoapServer with a WAF rule against duplicate-key apache:Map envelopes. See § 5 for the full detection and hardening playbook.