External risk intelligence

PHP servers can be taken over by attackers

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-6722

A critical flaw in PHP's SOAP extension could let attackers run their own code on your servers through malicious requests. This is urgent for all PHP installations.

4Halo Surface Signal

Use After Free

Php

8.2.0 to before 8.2.318.3.0 to before 8.3.318.4.0 to before 8.4.218.5.0 to before 8.5.6

External exposure likelihood

Halo Surface Signal score for CVE-2026-6722

The vulnerability exists in the PHP SOAP extension. PHP is widely used to power server-side web applications and services, which are frequently configured as internet-facing endpoints or APIs. These applications are standardly designed to process external requests, making this vulnerable surface commonly exposed to the public internet in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in PHP's SOAP extension allows attackers to execute arbitrary code. It occurs when duplicate entries in a SOAP request cause memory management issues, leading to a use-after-free condition that can be exploited. This is critical because it can allow remote code execution on affected PHP systems.

  • Remote code execution possible.
  • Widely used PHP applications are at risk.
  • Could impact business operations.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this PHP SOAP extension flaw by crafting a malicious SOAP request body. This request would trigger a use-after-free condition by causing duplicate keys in the request's XML structure, leading to memory corruption. The attacker can then leverage this to overwrite memory and achieve remote code execution on the affected PHP server.

  • No authentication required.
  • Target the SOAP extension.
  • Trigger duplicate keys in XML.

Live Threat

Current exploitation, exposure, and threat context

This use-after-free vulnerability in PHP's SOAP extension is a serious concern, offering a direct path to remote code execution. Attackers typically favor vulnerabilities that allow code execution on widely deployed systems with minimal prerequisites, and PHP fits that bill perfectly. While exploit development can be complex, the potential reward of compromising a server is significant, making this an attractive target for sophisticated threat actors.

  • Exploitable via network.
  • Public exploit code is unknown.
  • CVE published recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching PHP installations to versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 to address the use-after-free vulnerability in the SOAP extension. If immediate patching is not feasible, implement strict input validation for all SOAP requests and monitor for unusual memory allocation patterns or unexpected application behavior.

  • Apply PHP patches: 8.2.31, 8.3.31, 8.4.21, 8.5.6.
  • Monitor SOAP traffic for anomalies.
  • Isolate vulnerable PHP services.

Frequently asked questions

What is the PHP SOAP extension and its role in web services?

The PHP SOAP extension allows developers to create and interact with web services using the SOAP protocol. It supports subsets of SOAP 1.1, SOAP 1.2, and WSDL 1.1 specifications, enabling communication between different systems and platforms through XML-based messaging.

How does CVE-2026-6722 in the PHP SOAP extension lead to remote code execution?

CVE-2026-6722 is a use-after-free vulnerability in PHP's SOAP extension. It occurs when duplicate keys in an XML request's `apache:Map` node cause an object to be freed while a pointer to it remains. An attacker can then exploit this dangling pointer to overwrite memory and achieve remote code execution.

What types of vulnerabilities exist in the PHP SOAP extension, and what are their impacts?

Besides the critical remote code execution vulnerability (CVE-2026-6722), other flaws include use-after-free issues in session-persisted objects (CVE-2026-7261), null pointer dereferences leading to denial-of-service (CVE-2026-7262), and out-of-bounds reads in other PHP functions like `urldecode` (CVE-2026-7258) and `mbstring` (CVE-2026-6104).

What is the significance of CVE-2026-6722's network exploitability and potential impact?

This vulnerability is critical because it allows for unauthenticated remote code execution by attackers who can craft specific SOAP requests. Given PHP's widespread use in web applications, this flaw presents a significant risk, potentially allowing attackers to compromise servers that process untrusted SOAP inputs.

What are the recommended actions to mitigate risks associated with CVE-2026-6722 and related PHP vulnerabilities?

It is crucial to update PHP to patched versions: 8.2.31, 8.3.31, 8.4.21, or 8.5.6. If immediate patching is not possible, disabling the SOAP extension can serve as a temporary workaround. Strict input validation for SOAP requests and monitoring for unusual behavior are also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified