By rssfeeds-admin The most severe flaw allows threat actors to achieve Remote Code Execution (RCE) on affected servers.
System administrators must apply patches immediately to protect their environments from potential exploitation.
Historically, the PHP SOAP extension has been a prime target for attackers due to the complexity of XML processing.
This complexity frequently introduces subtle memory management bugs that advanced threat actors can weaponize to compromise entire systems.
PHP SOAP Extension Vulnerability
The most critical newly published vulnerability is CVE-2026-6722, a high-severity Use-After-Free (UAF) flaw located in the ext-soap package.
This issue originates from how the extension deduplicates objects in the XML graph using id and href attributes.
During XML graph traversal, PHP stores plain objects in a hash map, but the object’s reference count is not properly incremented during this memory allocation.
Attackers can exploit this missing reference increment by utilizing an Apache map mechanism to overwrite existing map entries and free objects prematurely.
By carefully crafting an XML payload, an attacker forces a node to evaluate a stale object, which invalidates the pointer in the reference map.
Once the memory is freed, the attacker can use the href attribute to point back to this stale memory. By allocating plain strings to the freed space, threat actors gain deep control over the memory segment.
This level of memory manipulation creates a highly reliable pathway to Remote Code Execution, effectively bypassing standard memory protections.
Researchers also discovered CVE-2026-7261, a moderate-severity UAF vulnerability tied to the SoapServer session persistence feature.
Additionally, CVE-2026-7262 involves a NULL pointer dereference in the Apache Map decoder, creating a trivial vector for Denial-of-Service (DoS) attacks that require zero user interaction.
Beyond the SOAP extension, two out-of-bounds read vulnerabilities (CVE-2026-7258 and CVE-2026-6104) were found in other PHP core functions, leading to potential information disclosure and memory corruption.
These memory corruption and logic vulnerabilities affect a wide footprint of current PHP releases.
The issues are present in PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Any applications relying on the SOAP extension or processing untrusted inputs via URL decoding are at significant risk of exploitation.
The PHP development team has addressed these flaws by enforcing stricter memory safety checks in their latest releases.
For the high-severity SOAP vulnerability, developers proactively increased object reference counts before adding them to the global reference map to safely release objects.
| CVE ID | Severity | Weakness | Attack Type | Vector |
|---|---|---|---|---|
| CVE-2026-6722 | High | CWE-416: Use-After-Free | Remote Code Execution | Network |
| CVE-2026-7261 | Moderate | Use-After-Free | Use-After-Free | Network |
| CVE-2026-7262 | Moderate | NULL pointer dereference | Denial of Service (DoS) | Network |
| CVE-2026-7258 | Moderate | CWE-125: Out-of-bounds Read | Out-of-bounds Read | Network |
| CVE-2026-6104 | Moderate | CWE-125: Out-of-bounds Read | Information Disclosure | Network |
System administrators and web hosts are strongly urged to upgrade their PHP installations to the patched versions immediately.
The rapid discovery and remediation of these flaws highlight the collaborative effort across the open-source security community.
Vulnerability reports were responsibly disclosed by security researchers BrettGervasoni, iliaal, xfourj, and AkshayJainG, with core patches developed by the PHP maintainer team.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical PHP SOAP Extension Flaw Enables Remote Code Execution Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.