Cyber Resilience

CVE-2026-6722

CriticalUpdated

Published: 10 May 2026

Published
10 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red
EPSS Score 0.0069 48.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6722 is a critical-severity Use After Free (CWE-416) vulnerability in Php Php. Its CVSS base score is 9.5 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node…

more

contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via crafted SOAP request against public-facing PHP SOAP endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-31631Same product: Php Php
CVE-2025-1736Same product: Php Php
CVE-2026-24895Same vendor: Php
CVE-2026-45185Shared CWE-416
CVE-2026-41401Shared CWE-416
CVE-2026-3593Shared CWE-416
CVE-2024-45434Shared CWE-416
CVE-2025-70968Shared CWE-416
CVE-2026-31972Shared CWE-416
CVE-2024-46981Shared CWE-416

Affected Assets

php
php
8.2.0 — 8.2.31 · 8.3.0 — 8.3.31 · 8.4.0 — 8.4.21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References