CVE-2026-6722

NameCVE-2026-6722
DescriptionIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4586-1, DSA-6255-1, DSA-6256-1
Debian Bugs1136054

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.4 (PTS)bullseye7.4.33-1+deb11u5vulnerable
bullseye (security)7.4.33-1+deb11u11fixed
php8.2 (PTS)bookworm, bookworm (security)8.2.31-1~deb12u1fixed
php8.4 (PTS)trixie8.4.16-1~deb13u1vulnerable
trixie (security)8.4.21-1~deb13u1fixed
forky, sid8.4.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.4sourcebullseye7.4.33-1+deb11u11DLA-4586-1
php7.4source(unstable)(unfixed)
php8.2sourcebookworm8.2.31-1~deb12u1DSA-6255-1
php8.2source(unstable)(unfixed)
php8.4sourcetrixie8.4.21-1~deb13u1DSA-6256-1
php8.4source(unstable)8.4.21-11136054

Notes

https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5
https://github.com/php/php-src/commit/aee3b3ac9b816b0def1c462695b483b49a83148e
Search for package or bug name: Reporting problems