In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Conclusion & alert: CVE-2026-6722 is rated Moderate Risk (51.8/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.51%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.35% | 0.51% | +0.15% |
| 2 | 2026-05-22 | 0.30% | 0.35% | +0.06% |
| 3 | 2026-05-16 | — | 0.30% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.5 | 4.0 | CRITICAL |
|
— | — | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-6722 not yet assigned priority: Debian including 3 source packages (php7.4, php8.2, php8.4), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2026-6722 |
suse
|
high | CVE-2026-6722 severity important: SUSE including 47 source package names (php8-8.5.6-1.1, php8-bcmath-8.5.6-1.1, …), 47 product×package rows across 1 product lines (openSUSE Tumbleweed): Fixed 47. | https://www.suse.com/security/cve/CVE-2026-6722/ |
ubuntu
|
medium | CVE-2026-6722 medium priority: Ubuntu including 8 source packages (php5, php7.0, …), 44 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 28, needs-triage 9, released 7. | https://ubuntu.com/security/CVE-2026-6722 |
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5 | Vendor Advisory |