CVE-2026-6722: PHP SOAP Extension Use-After-Free RCE
By Parth Shukla · 2026-05-13
Technical analysis of CVE-2026-6722 in PHP's SOAP extension. High severity, researcher-confirmed RCE. Use-after-free via XML object deduplication, affected versions, detection commands, and how Pinaka surfaces exposed PHP SOAP endpoints.
#cve #php #soap #use-after-free #rce #memory-corruption #web-server #xml
How to check if you are exposed to CVE-2026-6722
- Check the installed PHP version: php --version # Must be: >= 8.2.31, >= 8.3.31, >= 8.4.21, or >= 8.5.6
- Check if the SOAP extension is loaded: php -m | grep -i soap # Non-empty output means the extension is active
- Full configuration check: php -i | grep -iA1 "SOAP support" # Look for: "SOAP support => enabled"
- Check for X-Powered-By headers on external endpoints: curl -sI https://<target>/ | grep -i "x-powered-by" # e.g., "X-Powered-By: PHP/8.3.28" confirms version and exposure
- Detect accessible phpinfo() pages (also a standalone finding): curl -s https://<target>/phpinfo.php 2>/dev/null | grep -E "PHP Version|soap"
- Find SoapServer usage in application code: grep -rn "new SoapServer\|SoapServer(" --include="*.php" . 2>/dev/null \ | grep -v vendor # Any SoapServer instance reading from php://input or $HTTP_RAW_POST_DATA # is a candidate attack surface for CVE-2026-6722
- Find SOAP typemap configuration (narrows CVE-2026-7262 exposure): grep -rn "typemap\|SOAP_PERSISTENCE_SESSION" --include="*.php" . 2>/dev/null \ | grep -v vendor # Servers with typemaps configured are also vulnerable to CVE-2026-7262 (DoS) # Servers with SOAP_PERSISTENCE_SESSION are also vulnerable to CVE-2026-7261
- Check for WSDL files exposing services externally: find . -name "*.wsdl" 2>/dev/null curl -s "https://<target>/service.php?wsdl" | grep -i "<?xml" # A WSDL response confirms an externally accessible SOAP service
- Check PHP-FPM version in service deployments: php-fpm --version 2>/dev/null || php-fpm8.3 --version 2>/dev/null
- For CVE-2026-6104 specifically (mbstring, 8.4/8.5 only):: php --version | grep -E "8\.[45]\." # If on 8.4.x < 8.4.21 or 8.5.x < 8.5.6, mbstring is also affected
- In containerized deployments: docker ps --format '{{.Names}}' | xargs -I{} \ docker exec {} php --version 2>/dev/null | grep -E "^PHP"
Frequently asked questions
What is CVE-2026-6722?
CVE-2026-6722 is a high-severity use-after-free in PHP's ext/soap extension, affecting all active PHP branches prior to the emergency patch releases of May 2026. The function soap_add_xml_ref() in ext/soap/php_encoding.c stores PHP object pointers in the SOAP_GLOBAL(ref_map) hash map — which uses libxml2 node pointers as keys — without calling PHP's reference count increment. An attacker crafts a SOAP XML request with an Apache map structure using duplicate keys to overwrite existing map entries with null values, freeing the stored objects while their pointers remain in the map. A subsequent href reference causes the extension to dereference those stale pointers; because the freed memory can be filled with attacker-controlled strings, this escalates into remote code execution. For CISOs: any public-facing SOAP endpoint running PHP below the patched versions is exploitable without authentication. SOAP is not niche — it underpins SAP connectors, legacy payment processor APIs, government data exchange services, and B2B messaging. The same patch batch resolves a second use-after-free (CVE-2026-7261, CVSS 6.3), a denial-of-service null pointer dereference (CVE-2026-7262, CVSS 6.3 — requires a configured typemap), an out-of-bounds read in urldecode() (CVE-2026-7258, CVSS 6.3), and an mbstring buffer over-read (CVE-2026-6104, CVSS 6.3, affects PHP 8.4/8.5 only). Upgrade to PHP 8.2.31, 8.3.31, 8.4.21, or 8.5.6 immediately.
Is CVE-2026-6722 being actively exploited?
Brett Gervasoni has demonstrated a working exploit for CVE-2026-6722. The proof of concept uses a SOAP XML envelope containing an Apache map structure with duplicate keys to trigger object deallocation while stale pointers remain in SOAP_GLOBAL(ref_map), then uses href references to dereference the freed memory — memory filled with attacker-controlled string data. The exploit mechanism is a precise instance of a well-understood PHP memory corruption class: reference count manipulation followed by controlled heap reuse. The demonstration establishes this is exploitable in practice, not just in theory.
Am I exposed to CVE-2026-6722?
For CVE-2026-6722, two conditions must hold: PHP is below the patched version, and the SOAP extension is enabled and processing attacker-reachable requests. Check both explicitly.
How do I fix CVE-2026-6722?
1. Upgrade PHP immediately — this is the only complete fix.