HomeCyber Security News
Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks
By Abinaya
May 12, 2026
A serious cluster of vulnerabilities has been uncovered in PHP’s core string processing and ext-soap components, putting numerous web servers at immediate risk of total takeover.
While the SOAP extension has a notorious history of memory corruption flaws, this latest discovery crosses the red line into unauthenticated Remote Code Execution (RCE).
GitHub security teams are now locked in a race against time, as PHP maintainers deploy emergency patches to prevent attackers from turning vulnerable servers into compromised assets.
The most critical vulnerability, tracked as CVE-2026-6722, is a high-severity use-after-free flaw in the PHP SOAP extension.
This vulnerability emerges from how the extension handles deduplicating objects within the XML graph using id and href attributes.
Additional PHP SOAP Flaws
When parsing an XML document, the extension stores plain PHP objects in a global hash map but critically fails to increment their reference count.
By leveraging the Apache map mechanism, an attacker can intentionally free these objects by overwriting existing map entries.
This memory manipulation allows the attacker to reuse the freed memory segment, leading to dangerous memory corruption.
As demonstrated by security researcher Brett Gervasoni, an attacker can highly control this freed memory by subsequently allocating plain strings, ultimately escalating the flaw into full Remote Code Execution.
Alongside the RCE flaw, the PHP security team addressed four additional moderate-severity vulnerabilities through GitHub.
Developer iluuu1994 spearheaded remediation efforts for all the newly disclosed bugs.
CVE-2026-7261 involves another Use-After-Free issue in the SoapServer when handling session-persisted objects
If a header node’s handler function fails or throws an exception, the object is incorrectly freed but still written to session storage.
CVE-2026-7262 is a NULL pointer dereference vulnerability triggered during the decoding of Apache: Map nodes.
By sending a specially crafted XML request missing the value node, attackers can consistently crash the PHP process, resulting in a Denial of Service.
CVE-2026-7258 exposes an out-of-bounds read in the native urldecode() function.
Due to a missing type cast when evaluating hexadecimal characters, negative byte values can cause a segmentation fault on some platforms, such as NetBSD.
CVE-2026-6104 affects the mbstring extension: parsing encoding names containing embedded NUL bytes causes a global buffer overrun.
This information disclosure bug can read beyond intended bounds but is not directly exploitable for code execution.
These vulnerabilities affect multiple actively supported PHP branches for the SOAP-related flaws and the urldecode() bug.
The affected releases include PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability strictly impacts versions before 8.4.21 and 8.5.6.
Administrators are strongly advised to update their PHP environments immediately.
Patches contributed on GitHub by iluuu1994, iliaal, and ndossche are now integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
Upgrading to these patched versions securely resolves the memory mishandling and out-of-bounds read issues, defending the server against both denial-of-service and remote-code-execution attacks.
Organizations using the SOAP extension must prioritize deploying this patch to protect critical infrastructure adequately.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware
Trellix Breach – RansomHouse Claims Access to Parts of Source Code
New MajorDoMo RCE Vulnerability Exposes Servers to Code Execution Attacks
New ClickFix Attack Targets macOS Users With Fake Disk Cleanup and Utility Lures
Hackers Use Microsoft Teams to Steal Credentials and Manipulate MFA
Latest News
Cyber Security
Fortinet Patches Five Vulnerabilities Across FortiAP, FortiOS, and Enterprise Products
Cyber Security
Critical Fortinet FortiSandbox Vulnerability Enables Code Execution Attacks
Cyber Security News
Open WebUI Vulnerability via File Upload Leads to 1-Click RCE Attack
Cyber Security News
Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager
ANY.RUN
No Blind Spots: How Top MSSPs Prevent Incidents withLive Threat Visibility