The PHP project released coordinated security patches across all four active maintained branches on May 12, addressing a use-after-free remote code execution vulnerability in PHP’s SOAP extension. CVE-2026-6722 affects any web server running a PHP version prior to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 that processes SOAP requests. The simultaneous release across all maintained branches signals broad version coverage and coordinated severity assessment.
CVE-2026-6722: Use-After-Free in ext-soap Enables RCE on SOAP-Handling Servers
A use-after-free vulnerability occurs when a program continues to reference a memory region after freeing it — allowing an attacker to control the freed memory’s contents and redirect program execution. In CVE-2026-6722, the flaw exists in PHP’s ext-soap extension, the component responsible for parsing and processing SOAP protocol messages.
Web servers that parse attacker-supplied SOAP requests are the target surface. An attacker can craft a malicious SOAP payload designed to trigger the use-after-free condition, potentially achieving code execution on the web server process. Successful exploitation gives the attacker the ability to execute arbitrary commands under the web server’s process privileges — a foothold that typically enables further privilege escalation, lateral movement through accessible backend systems, or data exfiltration from databases the web application is authorized to query.
The SOAP extension is not enabled by default in all PHP configurations, but it is a standard dependency for enterprise system integrations. Organizations running ERP integrations with SAP, Oracle, or government service APIs over SOAP are frequently running ext-soap in production. Content management systems and e-commerce platforms with legacy integration middleware may also have SOAP processing active without current administrators being aware of it.
PHP 8.2, 8.3, 8.4, and 8.5 All Affected — Simultaneous Branch Patching Is Unusual
The simultaneous release of patches across all four active PHP branches — 8.2.31, 8.3.31, 8.4.21, and 8.5.6 — is operationally unusual. The PHP project typically releases updates on each branch’s own schedule. Coordinated multi-branch releases occur when a vulnerability has been confirmed across the full range of supported versions and the project determines that staged disclosure would leave administrators on older branches exposed for an extended period.
The affected version ranges start at every PHP release prior to the corrected versions in each branch. An organization running PHP 8.3.27, for example, is within the affected range for CVE-2026-6722 regardless of which branch they are on. The practical effect is that no currently maintained PHP version is exempt — administrators running any version of PHP 8.2, 8.3, 8.4, or 8.5 must update.
PHP powers WordPress, Drupal, Laravel, Symfony, and thousands of custom enterprise web applications. The installed base is measured in hundreds of millions of deployments. Not all of those deployments have ext-soap active, but among enterprise environments with backend system integrations, SOAP usage is common enough that the vulnerable population is substantial.
CVE-2026-6104 Buffer Over-Read in mb_convert_encoding Also Patched
The same patch cycle addresses CVE-2026-6104, a buffer over-read in PHP’s mb_convert_encoding function. Buffer over-reads can expose memory contents beyond an allocated buffer — potentially leaking sensitive data processed in adjacent memory regions, including credentials, session tokens, or cryptographic material. Under certain conditions, buffer over-reads can also trigger application crashes.
CVE-2026-6104 carries lower severity than the RCE in ext-soap, but organizations applying the ext-soap patch will receive the mb_convert_encoding fix in the same update. There is no scenario where applying only one of the two fixes while deferring the other is advisable.
PHP administrators should verify the currently running version on all web servers and update to the applicable corrected release: 8.2.31, 8.3.31, 8.4.21, or 8.5.6. Shared hosting environments where PHP version control is managed by the hosting provider should be confirmed as updated with the hosting company. For environments where immediate patching is constrained, reviewing whether ext-soap is actively required — and disabling it temporarily via the PHP configuration if not — reduces exposure to CVE-2026-6722 until the full update can be applied.
