Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks

HomeCyber Security News Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks By Abinaya May 12, 2026 A serious cluster of vulnerabilities has been uncovered in PHP’s core string processing and ext-soap components, putting numerous web servers at immediate risk of total takeover. While the SOAP extension has a notorious history of memory corruption flaws, this latest discovery crosses the red line into unauthenticated Remote Code Execution (RCE). GitHub security teams are now locked in a race against time, as PHP maintainers deploy emergency patches to prevent attackers from turning vulnerable servers into compromised assets. The most critical vulnerability, tracked as CVE-2026-6722, is a high-severity use-after-free flaw in the PHP SOAP extension. This vulnerability emerges from how the extension handles deduplicating objects within the XML graph using id and href attributes. Additional PHP SOAP Flaws When parsing an XML document, the extension stores plain PHP objects in a global hash map but critically fails to increment their reference count. By leveraging the Apache map mechanism, an attacker can intentionally free these objects by overwriting existing map entries. This memory manipulation allows the attacker to reuse the freed memory segment, leading to dangerous memory corruption. As demonstrated by security researcher Brett Gervasoni, an attacker can highly control this freed memory by subsequently allocating plain strings, ultimately escalating the flaw into full Remote Code Execution. Alongside the RCE flaw, the PHP security team addressed four additional moderate-severity vulnerabilities through GitHub. Developer iluuu1994 spearheaded remediation efforts for all the newly disclosed bugs. CVE-2026-7261 involves another Use-After-Free issue in the SoapServer when handling session-persisted objects  If a header node’s handler function fails or throws an exception, the object is incorrectly freed but still written to session storage. CVE-2026-7262 is a NULL pointer dereference vulnerability triggered during the decoding of Apache: Map nodes. By sending a specially crafted XML request missing the value node, attackers can consistently crash the PHP process, resulting in a Denial of Service. CVE-2026-7258 exposes an out-of-bounds read in the native urldecode() function. Due to a missing type cast when evaluating hexadecimal characters, negative byte values can cause a segmentation fault on some platforms, such as NetBSD. CVE-2026-6104 affects the mbstring extension: parsing encoding names containing embedded NUL bytes causes a global buffer overrun. This information disclosure bug can read beyond intended bounds but is not directly exploitable for code execution. These vulnerabilities affect multiple actively supported PHP branches for the SOAP-related flaws and the urldecode() bug. The affected releases include PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability strictly impacts versions before 8.4.21 and 8.5.6. Administrators are strongly advised to update their PHP environments immediately. Patches contributed on GitHub by iluuu1994, iliaal, and ndossche are now integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Upgrading to these patched versions securely resolves the memory mishandling and out-of-bounds read issues, defending the server against both denial-of-service and remote-code-execution attacks. Organizations using the SOAP extension must prioritize deploying this patch to protect critical infrastructure adequately. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News DAEMON Tools Software Hacked to Deliver Malware in a Supply Chain Attack Ransomware and Data Extortion Groups Intensify Targeting of Aviation and Aerospace Sector New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses Latest News Cyber Security News TeamPCP Compromised Checkmarx Jenkins AST Plugin Following KICS Supply Chain Attack Android PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access Cyber Security News TrickMo Android Banking Malware Targets Banking, Wallet, and Authenticator Apps Cyber Security News OpenAI Daybreak Automates Vulnerability Detection and Fixing Cyber Security New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes