PHP SOAP Extension Vulnerabilities Enable Remote Code Execution

PHP SOAP Extension Vulnerabilities Enable Remote Code Execution
You are here:

EXECUTIVE SUMMARY

A critical Use-After-Free vulnerability in PHP’s ext-soap extension, tracked as CVE-2026-6722, could allow unauthenticated remote attackers to achieve Remote Code Execution (RCE) through specially crafted SOAP requests exploiting stale memory references in Apache SOAP map handling. Researchers also disclosed multiple additional SOAP and PHP core memory corruption vulnerabilities alongside this issue.


Successful exploitation may allow attackers to execute arbitrary commands, compromise affected servers, deploy malware, or gain unauthorized access to sensitive enterprise data. Organizations running vulnera-ble PHP versions with exposed SOAP services are strongly advised to apply security updates immediately or disable the SOAP extension if not required.

  • CVE: CVE-2026-6722
  • CVSS Score: 9.5
  • Vulnerability Type: Use-After-Free / Remote Code Execution (RCE)
  • Active Region: Global
  • Affected Sector: Organizations using PHP-based web applications and SOAP services
  • Affected Product: PHP SOAP Extension
  • Severity: Critical
  • Published Date: May 11, 2026

TECHNICAL DETAILS

A critical Use-After-Free (CWE-416) vulnerability exists in PHP’s ext-soap extension due to improper reference count handling within SOAP_GLOBAL(ref_map). By sending crafted SOAP requests containing malicious apache:Map structures and stale href references, attackers can trigger memory corruption and achieve Remote Code Execution on vulnerable servers.

  • Target: Internet-facing PHP SOAP endpoints running vulnerable PHP versions with the ext-soap module enabled and accessible over the network.
  • Root Cause: Improper object reference count management within PHP’s ext-soap XML parsing and object deduplication mechanism (SOAP_GLOBAL(ref_map)), resulting in a Use-After-Free……

Download the Report

Date

Share

Previous Reports