CVE-2026-7262

The PHP project published GHSA-85c2-q967-79q5 on 2026-05-07 disclosing a CWE-416 use-after-free in the ext-soap object-deduplication path (PHP GHSA-85c2-q967-79q5). The bug lives in the libxml2-node-keyed SOAP_GLOBAL(ref_map) hash that soap_add_xml_ref() populates when deserialising a SOAP envelope's references; the helper stores raw PHP object pointers without incrementing reference counts. A SOAP envelope carrying an apache:Map node with duplicate keys causes the second hash insertion to free the original PHP object while a stale pointer remains; subsequent href resolutions return the freed memory address, which the allocator may have already filled with attacker-controlled bytes. php.watch confirms the 2026-05-07 release date and the CVE-to-GHSA mapping (php.watch — PHP 8.5.6 release, 2026-05-07). Affected versions are PHP 8.2.0 through 8.5.5; fixes shipped in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (PHP 8 ChangeLog). Severity labels split between primaries: GHSA-85c2-q967-79q5 labels severity "High"; NVD's CVSS 4.0 vector for CVE-2026-6722 scores 9.5, which the CVSS-4.0 rubric classifies as Critical. The same release fixes companion memory-management defects CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q, CVSS 4.0 6.3 Moderate) and CVE-2026-7262 (NULL dereference in Apache map NULL check — GHSA-hmxp-6pc4-f3vv, CVSS 4.0 6.3 Moderate). No public proof-of-concept and no in-the-wild exploitation are reported as of this run; the CVSS-4.0 score is 9.5 because a SoapServer exposed on a public endpoint is reachable without authentication (SOAP endpoints typically do not require session cookies) and the impact is arbitrary code execution as the PHP worker.

Inclusion is discretionary under PD-11: NVD CVSS 4.0 records the severity as 9.5 (Critical) on a pre-auth network-reachable code path of a runtime present in essentially every Internet-exposed PHP application; the GHSA primary labels severity High. No public proof-of-concept has been released and no in-the-wild exploitation has been reported. The inclusion gate "ENISA EUVD entry with CVSS 9.0–10.0" applies in spirit (ENISA EUVD API returned empty body across every bridge subcommand this run — see § 7 fetch_failures); included for forward-looking patch prioritisation given the breadth of the attack surface. § 5 covers detection / hardening.

CVE Summary Table

• Patch is the primary mitigation: upgrade to PHP 8.2.31, 8.3.31, 8.4.21 or 8.5.6 (all released 2026-05-07). Inventory PHP versions across web-facing infrastructure, including container base images that may have pinned older PHP minors.
• If patching is delayed: disable the SOAP extension where unused — phpdismod soap (Debian/Ubuntu), remove extension=soap from php.ini (RHEL family), or rebuild custom Docker images without the extension. Restart PHP-FPM after the change.
• Where SOAP must remain available: front the SoapServer endpoint with a WAF rule blocking duplicate-key apache:Map patterns and unusually deep XML nesting, restrict the endpoint to known consumer IP ranges via firewall, and require mutual-TLS for the SOAP endpoint where the integration partner supports it.
• Defence-in-depth: PHP-FPM workers should run with the minimum filesystem privileges needed; open_basedir restrictions; disable_functions should include exec, system, shell_exec, passthru, proc_open, popen; SELinux or AppArmor confinement of the PHP worker process limits the blast radius of any successful RCE.
• Audit your SoapServer instantiations: grep -rn 'new SoapServer' /var/www/ to enumerate every endpoint; document which are exposed publicly versus internally; remove or restrict the publicly-exposed ones unless business-justified.