CVE-2026-6722
Publication date 10 May 2026
Last updated 6 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php7.0 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Fixed 7.0.33-0ubuntu0.16.04.16+esm19
|
|
| php5 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| php7.2 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| php7.4 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| php8.1 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 8.1.2-1ubuntu2.24
|
|
| php8.3 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble |
Fixed 8.3.6-0ubuntu0.24.04.9
|
|
| 22.04 LTS jammy | Not in release | |
| php8.4 | 26.04 LTS resolute | Not in release |
| 25.10 questing |
Fixed 8.4.11-1ubuntu1.2
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| php8.5 | 26.04 LTS resolute |
Fixed 8.5.4-0ubuntu1.1
|
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
Severity score breakdown
CVSS version:
Base score
9.5 · Critical
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red
Base score
7.7 · High
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
References
Related Ubuntu Security Notices (USN)
- USN-8336-1
- PHP vulnerabilities
- 28 May 2026
- USN-8513-1
- PHP vulnerabilities
- 6 July 2026