PHP SOAP Extension Flaw Could Let Attackers Execute Code Remotely

The PHP language powers a large share of web applications, and its SOAP extension has long been a favorite target for attackers because XML parsing introduces complex memory‑management challenges. The latest batch of disclosures, announced in May 2026, adds a high‑severity Use‑After‑Free (UAF) flaw to an already crowded vulnerability landscape that includes several moderate‑severity bugs across core modules. These issues underscore how legacy code paths and insufficient reference‑count handling can open doors for remote code execution, denial‑of‑service, and information leakage.

CVE‑2026‑6722 exploits the way the SOAP extension deduplicates objects using the XML id/href mechanism. During traversal, PHP stores objects in a global reference map without incrementing their reference count, allowing an attacker to craft an XML payload that frees the object and then re‑uses the dangling pointer. By allocating controlled data into the reclaimed slot, the adversary can hijack execution flow and achieve arbitrary code execution, bypassing typical mitigations such as ASLR and DEP. The official patches for PHP 8.2.31 through 8.5.6 correct this by enforcing proper reference counting and adding sanity checks before map updates.

For enterprises that rely on PHP‑driven services, the discovery forces a rapid patch‑management cycle. Unpatched servers exposing SOAP endpoints can become footholds for ransomware groups or nation‑state actors seeking lateral movement within a network. Compliance frameworks such as PCI DSS and ISO 27001 now flag unaddressed high‑severity vulnerabilities as non‑conformities, making timely upgrades a regulatory as well as security imperative. Organizations should audit their codebases for SOAP usage, enforce strict input validation, and integrate automated vulnerability scanning to stay ahead of future memory‑safety bugs.