PHP SOAP Use-After-Free RCE Vulnerability - 20260511001

Overview

A critical vulnerability has been identified in the PHP SOAP extension, involving a use-after-free condition that may allow an attacker to achieve remote code execution.

What is vulnerable?

Product(s) Affected	Version(s)	CVE	CVSS	Severity
PHP (ext-soap)	< 8.2.31 < 8.3.31 < 8.4.21 < 8.5.6	CVE-2026-6722	9.5	Critical

What has been observed?

The WASOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.

Recommendation

The WASOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer Patch Management):

• VENDOR: https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5

Additional References

• CVE: https://www.cve.org/CVERecord?id=CVE-2026-6722