Critical use-after-free in PHP ext-soap enables remote code execution
TL;DR - PHP's soap extension mishandles apache:Map nodes with duplicate keys: the original PHP object is freed while a stale pointer stays in the global deduplication map. A subsequent href reference copies that dangling pointer back into the result. Attacker controls the SOAP body, attacker gets RCE. CVSS 9.5.
What happened
PHP's soap extension (ext-soap) parses SOAP XML and builds an object graph from the incoming request body. CVE-2026-6722 is a use-after-free in the object deduplication mechanism that sits at the heart of that parsing logic.
The deduplication code stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, the second entry overwrites the first in the temporary result map. That frees the original PHP object - but the stale pointer remains in the global map. A later href reference to the freed node copies that dangling pointer back into the result.
From there, the path to exploitation is straightforward. Subsequent PHP string allocations can reclaim the freed memory region. An attacker who controls the SOAP request body can steer that stale pointer reuse toward remote code execution.
| Item | Detail |
|---|---|
| Affected component | PHP soap (ext-soap) |
| Weakness | CWE-416 Use After Free |
| Severity | CVSS v4.0 9.5 (Critical) |
| CVSS vector | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red |
ext-soap sits on internet-facing request parsing paths in a large number of legacy and enterprise stacks. Memory-safety failures in core runtimes carry outsized blast radius. For background on this bug class, see our memory safety research hub.
Who is impacted
- Any deployment that processes attacker-controlled SOAP request bodies via ext-soap.
- PHP across four release lines:
| Release line | Affected versions |
|---|---|
8.2.* | < 8.2.31 |
8.3.* | < 8.3.31 |
8.4.* | < 8.4.21 |
8.5.* | < 8.5.6 |
What to do now
- Patch immediately. Move every affected PHP deployment to a fixed version. Prioritise services that expose SOAP endpoints to the internet, but treat internal services reachable by untrusted tenants or partner networks as equally urgent.
- Inventory where ext-soap is enabled and reachable: container images, AMIs, base OS packages, and PHP runtime flags all need checking.
- Review request logs for unusual SOAP payload patterns - specifically
apache:Mapnodes with duplicate keys followed byhrefreferences to those nodes. - If compromise is suspected, rotate credentials accessible to the impacted service before continuing the investigation.
- Use this as a prompt to reduce long-tail parsing risk. Eliminate SOAP endpoints where feasible. For everything else, tighten dependency and base-image update workflows - our secure dependency management guide covers the operational steps.