CVE-2026-6722

CVE Details

Release Date:2026-05-10
Impact:Important What is this?

Description


In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

See more information about CVE-2026-6722 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 7.7
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Version: 3.1
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (libzip) ELSA-2026-343542026-07-02
Oracle Linux version 8 (php) ELSA-2026-343542026-07-02
Oracle Linux version 8 (php-pear) ELSA-2026-343542026-07-02
Oracle Linux version 8 (php-pecl-apcu) ELSA-2026-343542026-07-02
Oracle Linux version 8 (php-pecl-rrd) ELSA-2026-343542026-07-02
Oracle Linux version 8 (php-pecl-xdebug) ELSA-2026-343542026-07-02
Oracle Linux version 8 (php-pecl-zip) ELSA-2026-343542026-07-02
Oracle Linux version 9 (php) ELSA-2026-334492026-07-02


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete