CVE-2026-6722: PHP SOAP Extension Use-After-Free RCE

By Parth Shukla · 2026-05-13

Technical analysis of CVE-2026-6722 in PHP's SOAP extension. High severity, researcher-confirmed RCE. Use-after-free via XML object deduplication, affected versions, detection commands, and how Pinaka surfaces exposed PHP SOAP endpoints.

#cve #php #soap #use-after-free #rce #memory-corruption #web-server #xml

How to check if you are exposed to CVE-2026-6722

  1. Check the installed PHP version: php --version # Must be: >= 8.2.31, >= 8.3.31, >= 8.4.21, or >= 8.5.6
  2. Check if the SOAP extension is loaded: php -m | grep -i soap # Non-empty output means the extension is active
  3. Full configuration check: php -i | grep -iA1 "SOAP support" # Look for: "SOAP support => enabled"
  4. Check for X-Powered-By headers on external endpoints: curl -sI https://<target>/ | grep -i "x-powered-by" # e.g., "X-Powered-By: PHP/8.3.28" confirms version and exposure
  5. Detect accessible phpinfo() pages (also a standalone finding): curl -s https://<target>/phpinfo.php 2>/dev/null | grep -E "PHP Version|soap"
  6. Find SoapServer usage in application code: grep -rn "new SoapServer\|SoapServer(" --include="*.php" . 2>/dev/null \ | grep -v vendor # Any SoapServer instance reading from php://input or $HTTP_RAW_POST_DATA # is a candidate attack surface for CVE-2026-6722
  7. Find SOAP typemap configuration (narrows CVE-2026-7262 exposure): grep -rn "typemap\|SOAP_PERSISTENCE_SESSION" --include="*.php" . 2>/dev/null \ | grep -v vendor # Servers with typemaps configured are also vulnerable to CVE-2026-7262 (DoS) # Servers with SOAP_PERSISTENCE_SESSION are also vulnerable to CVE-2026-7261
  8. Check for WSDL files exposing services externally: find . -name "*.wsdl" 2>/dev/null curl -s "https://<target>/service.php?wsdl" | grep -i "<?xml" # A WSDL response confirms an externally accessible SOAP service
  9. Check PHP-FPM version in service deployments: php-fpm --version 2>/dev/null || php-fpm8.3 --version 2>/dev/null
  10. For CVE-2026-6104 specifically (mbstring, 8.4/8.5 only):: php --version | grep -E "8\.[45]\." # If on 8.4.x < 8.4.21 or 8.5.x < 8.5.6, mbstring is also affected
  11. In containerized deployments: docker ps --format '{{.Names}}' | xargs -I{} \ docker exec {} php --version 2>/dev/null | grep -E "^PHP"

Frequently asked questions

What is CVE-2026-6722?

CVE-2026-6722 is a high-severity use-after-free in PHP's ext/soap extension, affecting all active PHP branches prior to the emergency patch releases of May 2026. The function soap_add_xml_ref() in ext/soap/php_encoding.c stores PHP object pointers in the SOAP_GLOBAL(ref_map) hash map — which uses libxml2 node pointers as keys — without calling PHP's reference count increment. An attacker crafts a SOAP XML request with an Apache map structure using duplicate keys to overwrite existing map entries with null values, freeing the stored objects while their pointers remain in the map. A subsequent href reference causes the extension to dereference those stale pointers; because the freed memory can be filled with attacker-controlled strings, this escalates into remote code execution. For CISOs: any public-facing SOAP endpoint running PHP below the patched versions is exploitable without authentication. SOAP is not niche — it underpins SAP connectors, legacy payment processor APIs, government data exchange services, and B2B messaging. The same patch batch resolves a second use-after-free (CVE-2026-7261, CVSS 6.3), a denial-of-service null pointer dereference (CVE-2026-7262, CVSS 6.3 — requires a configured typemap), an out-of-bounds read in urldecode() (CVE-2026-7258, CVSS 6.3), and an mbstring buffer over-read (CVE-2026-6104, CVSS 6.3, affects PHP 8.4/8.5 only). Upgrade to PHP 8.2.31, 8.3.31, 8.4.21, or 8.5.6 immediately.

Is CVE-2026-6722 being actively exploited?

Brett Gervasoni has demonstrated a working exploit for CVE-2026-6722. The proof of concept uses a SOAP XML envelope containing an Apache map structure with duplicate keys to trigger object deallocation while stale pointers remain in SOAP_GLOBAL(ref_map), then uses href references to dereference the freed memory — memory filled with attacker-controlled string data. The exploit mechanism is a precise instance of a well-understood PHP memory corruption class: reference count manipulation followed by controlled heap reuse. The demonstration establishes this is exploitable in practice, not just in theory.

Am I exposed to CVE-2026-6722?

For CVE-2026-6722, two conditions must hold: PHP is below the patched version, and the SOAP extension is enabled and processing attacker-reachable requests. Check both explicitly.

How do I fix CVE-2026-6722?

1. Upgrade PHP immediately — this is the only complete fix.

Check your own attack surface with Pinaka