Critical 9.5 Severity: PHP SOAP Extension Flaw Enables Remote Code Execution

For the system administrators and DevOps engineers who maintain the backbone of the internet, PHP is a foundational tool. However, a new wave of security disclosures has revealed that even this seasoned veteran of web development is not immune to critical architectural flaws.

According to a series of important security advisories, several vulnerabilities have been identified across multiple PHP versions—including the latest 8.4 and 8.5 branches—that could allow attackers to crash servers or execute malicious scripts.

The most severe vulnerability in this release is CVE-2026-6722, which carries a critical CVSS score of 9.5. This flaw exists within the PHP SOAP extension’s object deduplication mechanism.

When the extension processes duplicate keys within an apache:Map node, a memory management error occurs. Processing the second entry overwrites the first in the temporary map, which frees the original PHP object while leaving a stale, dangling pointer behind in the global map. If an attacker subsequently uses an href reference to point to that freed node, the dangling pointer is copied into the result.

Because standard PHP string allocations can reclaim this freed memory, an attacker who controls the SOAP request body can exploit this use-after-free vulnerability to execute arbitrary code remotely on the server. For security teams, this is an immediate red flag requiring urgent remediation.

Another high-priority issue is CVE-2026-6735 (CVSS 7.3), which impacts the PHP-FPM status page. Due to inadequate sanitation of user-provided data, an attacker can craft a malicious URL. If a target user—such as a system administrator—views the PHP-FPM status page using this URL, arbitrary JavaScript code will execute on their machine, resulting in a Cross-Site Scripting (XSS) attack.

Beyond the critical RCE and XSS flaws, several other vulnerabilities were addressed, primarily resulting in application crashes or denial-of-service (DoS) conditions.

Further SOAP Extension Flaws:

• CVE-2026-7261 (CVSS 6.3): When a SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. If a SOAP request throws an error, the object is freed, but a pointer is kept, leading to a use-after-free scenario. This could result in memory corruption, information disclosure, or a process crash.
• CVE-2026-7262 (CVSS 2.9): If a SOAP server has a typemap configured, a missing value element can trigger a null pointer dereference during the decoding process. This allows unauthenticated remote attackers to crash the SOAP server process.

Encoding and String Manipulation Bugs:

• CVE-2026-6104 (CVSS 6.3): Passing an encoding name with an embedded NUL byte to functions like mb_convert_encoding() causes the code to incorrectly assume strings have the same length when strncasecmp() returns 0. This results in an out-of-bounds read, potentially causing information disclosure or crashes. This affects several mbstring functions and INI settings.
• CVE-2026-7568 (CVSS 6.3): The metaphone() function relies on a signed integer to track its position within an input string. Passing a string larger than 2.14GB triggers a signed integer overflow. This undefined behavior can lead to out-of-bounds reads and segmentation faults.
• CVE-2026-7259 (CVSS 2.1): A mismatch between the encoding lists used in Oniguruma and mbfl can cause a null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init(), leading to a crash. It is exploitable if user input influences the encoding passed to mb_regex_encoding().
• CVE-2026-7258 (CVSS 6.3): Functions like urldecode() pass signed characters to ctype functions. On systems with a default signed char and optimized table-lookup ctype functions (like NetBSD), this can lead to negative offset array access, triggering a DoS.

XML Processing:

• CVE-2026-7263 (CVSS 6.3): Incorrect XML data processing within the DOMNode::C14N() method can create a circular linked list. Subsequent processing of the document will hit an infinite loop, causing a denial of service for the processing application.

While bugs like integer overflows and encoding mismatches might sound like minor technical glitches, the presence of a 9.5 CVSS Remote Code Execution vulnerability makes this patch cycle critical. Administrators should verify their PHP versions and update to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 immediately to secure their environments against these exploits.