Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A serious cluster of vulnerabilities has been uncovered in PHP\u2019s core string processing and ext-soap components, putting numerous web servers at immediate risk of total takeover.<\/p>\n
While the SOAP extension has a notorious history of memory corruption flaws, this latest discovery crosses the red line into unauthenticated Remote Code Execution (RCE).<\/p>\n
GitHub security teams are now locked in a race against time, as PHP maintainers deploy emergency patches to prevent attackers from turning vulnerable servers into compromised assets.<\/p>\n
The most critical vulnerability, tracked as CVE-2026-6722, is a high-severity\u00a0use-after-free flaw<\/a><\/span> in the PHP SOAP extension.<\/p>\n This vulnerability emerges from how the extension handles deduplicating objects within the XML graph using id and href attributes.<\/p>\n When parsing an XML document, the extension stores plain PHP objects in a global hash map but critically fails to increment their reference count.<\/p>\n By leveraging the Apache map mechanism<\/a>, an attacker can intentionally free these objects by overwriting existing map entries.<\/p>\n This memory manipulation allows the attacker to reuse the freed memory segment, leading to dangerous memory corruption.<\/p>\n As demonstrated by security researcher Brett Gervasoni, an attacker can highly control this freed memory by subsequently allocating plain strings, ultimately escalating the flaw into full Remote Code Execution.<\/p>\n Alongside the RCE flaw, the PHP security team addressed four additional moderate-severity vulnerabilities through GitHub.<\/p>\n Developer\u00a0iluuu1994\u00a0spearheaded remediation efforts for all the newly disclosed bugs.<\/p>\n CVE-2026-7261 involves another Use-After-Free issue in the SoapServer when handling session-persisted objects<\/p>\n \u00a0If a header node\u2019s handler function fails or throws an exception, the object is incorrectly freed but still written to session storage.<\/p>\n CVE-2026-7262 is a NULL pointer dereference vulnerability<\/a> triggered during the decoding of Apache: Map nodes.<\/p>\n By sending a specially crafted XML request missing the value node, attackers can consistently crash the PHP process, resulting in a Denial of Service.<\/p>\n CVE-2026-7258 exposes an out-of-bounds read<\/a> in the native urldecode() function.<\/p>\n Due to a missing type cast when evaluating hexadecimal characters, negative byte values can cause a segmentation fault on some platforms, such as NetBSD.<\/p>\n CVE-2026-6104 affects the mbstring extension: parsing encoding names containing embedded NUL bytes causes a global buffer overrun.<\/p>\n This information disclosure bug can read beyond intended bounds but is not directly exploitable for code execution.<\/p>\n These vulnerabilities affect multiple actively supported PHP branches for the SOAP-related flaws and the urldecode() bug.<\/p>\n The affected releases include PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability strictly impacts versions before 8.4.21 and 8.5.6.<\/p>\n Administrators are strongly advised to update their PHP environments immediately.<\/p>\n Patches contributed on GitHub by iluuu1994, iliaal, and ndossche<\/a> are now integrated into PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6.<\/p>\n Upgrading to these patched versions securely resolves the memory mishandling and out-of-bounds read issues, defending the server against both denial-of-service and remote-code-execution attacks.<\/p>\n Organizations using the SOAP extension must prioritize deploying this patch to protect critical infrastructure adequately.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdditional PHP SOAP Flaws<\/strong><\/h2>\n