PHP’s SOAP Extension: A Deep Dive Into RCE and Memory Safety Flaws
The cybersecurity landscape has been recently disrupted by the disclosure of several significant vulnerabilities within the PHP engine, with the most alarming findings centered around the widely deployed SOAP extension. These flaws represent a serious threat to server integrity, as they expose a pathway for attackers to move from simple data processing to full system compromise.
Of particular concern is a high-severity flaw that provides a direct route to Remote Code Execution (RCE). Alongside this, a suite of moderate-severity bugs—including Use-After-Free (UAF) conditions, NULL pointer dereferences, and out-of-bounds reads—have been identified across various core modules. For system administrators and DevOps engineers, the mandate is clear: immediate patching is required to mitigate the risk of active exploitation.
The history of the PHP SOAP extension shows it to be a persistent target for sophisticated actors. For instance, past vulnerabilities like CVE-2021-21702 demonstrated how malformed XML could be weaponized to trigger unauthenticated Denial-of-Service (DoS) attacks. This latest batch of vulnerabilities underscores a recurring theme: the inherent complexity of XML parsing and memory management provides fertile ground for advanced threat actors to engineer highly reliable exploits.
Deep Dive: The ext-soap Use-After-Free (CVE-2026-6722)
The most critical vulnerability identified is CVE-2026-6722, a high-severity Use-After-Free (UAF) flaw located within the ext-soap package. This vulnerability is not merely a logic error; it is a fundamental breakdown in how PHP manages object lifecycles during XML graph traversal.
To optimize processing, the extension utilizes a mechanism to deduplicate objects within the XML graph via id and href attributes. During this traversal, PHP caches plain objects in a specialized hash map known as SOAP_GLOBAL(ref_map). The vulnerability arises because the engine fails to properly increment the object’s reference count during this specific memory allocation phase.
An attacker can exploit this oversight by leveraging an Apache map mechanism to overwrite existing map entries, forcing the premature freeing of objects. By crafting a surgical XML payload, an attacker can trigger a scenario where a node evaluates a “stale” object and immediately overwrites it with a NULL value. This leaves a dangling pointer in the reference map. By subsequently using the href attribute to point back to this invalidated memory address and filling that space with controlled plain strings, the attacker gains granular control over the memory segment. This level of heap manipulation allows for the bypassing of standard memory protections, facilitating reliable RCE.
Secondary Vulnerabilities: SOAP Persistence and Core Logic Errors
Beyond the RCE threat, researchers have flagged CVE-2026-7261, a moderate-severity UAF vulnerability involving the SoapServer session persistence feature. When the SOAP_PERSISTENCE_SESSION flag is active, developers intend to persist handler objects in session storage across requests. However, a flaw in the soap.c component prevents the engine from correctly accounting for this flag if a handler function returns false or encounters a fatal exception. This results in the object being freed in memory while a pointer to it is incorrectly written to session storage, creating a classic Use-After-Free scenario.
Furthermore, CVE-2026-7262 introduces a Denial-of-Service (DoS) vector through a NULL pointer dereference in the Apache Map decoder. While the to_zval_map() function validates missing keys, it fails to adequately validate missing <value> nodes. If a target server utilizes a specific typemap, an attacker can submit an Apache:Map node lacking a value, causing the processing thread to crash instantly.
The vulnerabilities extend into the PHP core itself, affecting standard utility functions:
- CVE-2026-7258: An out-of-bounds read in
urldecode(). On platforms like NetBSD, passing negative character values toisxdigit()without unsigned casting triggers signed integer extension, leading to memory over-reads. - CVE-2026-6104: A global buffer over-read in
mb_convert_encoding(). If an attacker provides an encoding name containing NUL bytes, thestrncasecmpfunction terminates prematurely, causing PHP to read past the intended buffer into adjacent memory.
These flaws affect all versions of PHP prior to 8.2.31, 8.3.31, 8.4.21, and 8.5.6. If your stack processes untrusted URL-decoded strings or utilizes multi-byte string conversions, you are in the blast radius.
Summary of Identified Vulnerabilities
| CVE ID | Severity (CVSS) | Weakness Type | Impact | Vector |
|---|---|---|---|---|
| CVE-2026-6722 | High | CWE-416: Use-After-Free | Remote Code Execution (RCE) | Network |
| CVE-2026-7261 | Moderate | Use-After-Free | Session Corruption/UAF | Network |
| CVE-2026-7262 | Moderate | NULL Pointer Dereference | Denial of Service (DoS) | Network |
| CVE-2026-7258 | Moderate | CWE-125: Out-of-bounds Read | Memory Information Leak | Network |
| CVE-2026-6104 | Moderate | CWE-125: Out-of-bounds Read | Information Disclosure | Network |
Remediation and Acknowledgments
The PHP development team has mitigated these risks by implementing stricter memory safety checks. Specifically, for the RCE flaw, the patch ensures that object reference counts are proactively incremented before they are added to the global reference map, and that deallocators are strictly configured to release objects only when safe.
Action Required: Upgrade your PHP environments to the following patched versions immediately: 8.2.31, 8.3.31, 8.4.21, or 8.5.6.
We would like to acknowledge the security researchers who responsibly disclosed these findings: BrettGervasoni (CVE-2026-6722), iliaal (CVE-2026-7261 and CVE-2026-7262), xfourj (CVE-2026-7258), and AkshayJainG (CVE-2026-6104). Core remediation was spearheaded by iluuu1994 with assistance from ndossche.