DEBIAN-CVE-2026-6722

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-6722

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6722.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-6722

Upstream

CVE-2026-6722

Published

2026-05-10T05:16:11.070Z

Modified

2026-05-16T01:00:26.630275Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

References

https://security-tracker.debian.org/tracker/CVE-2026-6722

Affected packages

Debian:11 / php7.4

Package

Name: php7.4
Purl: pkg:deb/debian/php7.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.4.33-1+deb11u11

Affected versions

7.*

7.4.21-1+deb11u1

7.4.25-1+deb11u1

7.4.26-1

7.4.28-1+deb11u1

7.4.30-1+deb11u1

7.4.33-1+deb11u1

7.4.33-1+deb11u3

7.4.33-1+deb11u4

7.4.33-1+deb11u5

7.4.33-1+deb11u6

7.4.33-1+deb11u7

7.4.33-1+deb11u8

7.4.33-1+deb11u9

7.4.33-1+deb11u10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6722.json"

Debian:12 / php8.2

Package

Name: php8.2
Purl: pkg:deb/debian/php8.2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.2.31-1~deb12u1

Affected versions

8.*

8.2.5-2

8.2.7-1~deb12u1

8.2.7-1

8.2.7-1.1

8.2.7-1.2

8.2.10-1

8.2.10-2

8.2.12-1

8.2.16-1

8.2.16-2

8.2.17-1

8.2.18-1~deb12u1

8.2.18-1

8.2.20-1~deb12u1

8.2.20-2

8.2.20-3

8.2.21-1

8.2.23-1

8.2.24-1~deb12u1

8.2.24-1

8.2.26-1~deb12u1

8.2.26-4

8.2.27-1

8.2.28-1~deb12u1

8.2.29-1~deb12u1

8.2.30-1~deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6722.json"

Debian:13 / php8.4

Package

Name: php8.4
Purl: pkg:deb/debian/php8.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.4.21-1~deb13u1

Affected versions

8.*

8.4.11-1

8.4.16-1~deb13u1

8.4.16-1

8.4.20-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6722.json"

Debian:14 / php8.4

Package

Name: php8.4
Purl: pkg:deb/debian/php8.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.4.21-1

Affected versions

8.*

8.4.11-1

8.4.16-1~deb13u1

8.4.16-1

8.4.20-1

8.4.21-1~deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6722.json"