Critical PHP SOAP Extension Vulnerabilities Enable Remote Code Execution

May 12, 2026 Faeem BLOGS 0

Overview A cluster of serious vulnerabilities has been uncovered in PHP’s core string processing and ext‑soap components, exposing web servers to unauthenticated Remote Code Execution (RCE) and denial‑of‑service risks. Emergency patches have been released, and administrators are urged to update immediately.

Key Vulnerabilities

  • CVE‑2026‑6722 (Critical RCE)
    • Use‑after‑free flaw in SOAP extension.
    • Triggered when deduplicating XML objects via id and href attributes.
    • Attackers can free objects in a global hash map, reuse memory, and escalate to RCE.
  • CVE‑2026‑7261 (Use‑After‑Free in SoapServer)
    • Occurs when session‑persisted objects are freed incorrectly after handler exceptions.
  • CVE‑2026‑7262 (NULL Pointer Dereference)
    • Crafted XML requests missing value nodes crash PHP, causing DoS.
  • CVE‑2026‑7258 (Out‑of‑Bounds Read in urldecode)
    • Missing type cast allows negative byte values, leading to segmentation faults (notably on NetBSD).
  • CVE‑2026‑6104 (mbstring Buffer Overrun)
    • Parsing encoding names with embedded NUL bytes causes information disclosure.

Affected Versions

  • SOAP & urldecode flaws: PHP < 8.2.31, 8.3.31, 8.4.21, 8.5.6.
  • mbstring flaw: PHP < 8.4.21, 8.5.6.

Patches & Contributors

  • Fixes integrated into PHP 8.2.31, 8.3.31, 8.4.21, 8.5.6.
  • Contributions by iluuu1994, iliaal, ndossche on GitHub.
  • Emergency remediation coordinated by PHP maintainers and GitHub security teams.

Why It Matters

  • SOAP has a history of memory corruption issues, but this marks a direct RCE risk.
  • Attackers can exploit vulnerable servers for total takeover.
  • Even moderate flaws (DoS, buffer overruns) can destabilize production environments.

Defensive Guidance

  • Update immediately to patched PHP versions.
  • Audit SOAP usage in applications; disable if not required.
  • Monitor logs for suspicious XML payloads or abnormal crashes.
  • Apply least‑privilege principles to PHP processes to limit blast radius.

Final Thought

This incident underscores how legacy components like SOAP remain high‑risk attack surfaces. With RCE now confirmed, patching is not optional — it’s urgent. For organizations running PHP in production, the lesson is clear: stay current, disable unused extensions, and treat XML parsing as a critical security boundary.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.