Количество 12
Количество 12
GHSA-85c2-q967-79q5
Use-After-Free in SOAP using Apache map with Remote Code Execution
CVE-2026-6722
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
CVE-2026-6722
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
CVE-2026-6722
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
CVE-2026-6722
Use-After-Free in SOAP using Apache map
CVE-2026-6722
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before ...
BDU:2026-06622
Уязвимость функции soap_add_xml_ref() интерпретатора языка программирования PHP, позволяющая нарушителю выполнить произвольный код
SUSE-SU-2026:2091-1
Security update for php7
SUSE-SU-2026:2037-1
Security update for php8
SUSE-SU-2026:1958-1
Security update for php8
SUSE-SU-2026:1957-1
Security update for php8
openSUSE-SU-2026:20745-1
Security update for php8
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-85c2-q967-79q5 Use-After-Free in SOAP using Apache map with Remote Code Execution | 1% Низкий | около 1 месяца назад | |
 | CVE-2026-6722 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | CVSS3: 9.8 | 1% Низкий | около 1 месяца назад |
 | CVE-2026-6722 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | CVSS3: 7.7 | 1% Низкий | около 1 месяца назад |
 | CVE-2026-6722 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | CVSS3: 9.8 | 1% Низкий | около 1 месяца назад |
 | CVE-2026-6722 Use-After-Free in SOAP using Apache map | 1% Низкий | 19 дней назад | |
| CVE-2026-6722 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before ... | CVSS3: 9.8 | 1% Низкий | около 1 месяца назад |
 | BDU:2026-06622 Уязвимость функции soap_add_xml_ref() интерпретатора языка программирования PHP, позволяющая нарушителю выполнить произвольный код | CVSS3: 9 | 1% Низкий | около 2 месяцев назад |
 | SUSE-SU-2026:2091-1 Security update for php7 | 25 дней назад | ||
| SUSE-SU-2026:2037-1 Security update for php8 | около 1 месяца назад | ||
| SUSE-SU-2026:1958-1 Security update for php8 | около 1 месяца назад | ||
| SUSE-SU-2026:1957-1 Security update for php8 | около 1 месяца назад | ||
| openSUSE-SU-2026:20745-1 Security update for php8 | около 1 месяца назад |
Уязвимостей на страницу