This vulnerability (CVE-2026-6722) involves a use-after-free condition in the PHP SOAP extension's object deduplication mechanism. Specifically, when processing apache:Map nodes with duplicate keys, the second entry overwrites the first in a temporary result map, freeing the original PHP object without updating reference counts. Subsequent references to the freed object can lead to dangling pointers. Because PHP string allocations may reuse the freed memory, an attacker who can control the SOAP request body can exploit this to achieve remote code execution. The affected PHP versions are 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6. The vulnerability is classified under CWE-416 (Use After Free) and has a critical CVSS score of 9.5.

Successful exploitation of this vulnerability can lead to remote code execution on affected PHP installations. This poses a critical risk as it allows an unauthenticated attacker to execute arbitrary code by sending crafted SOAP requests. The vulnerability affects multiple recent PHP versions, increasing the potential attack surface. There are no known exploits in the wild at the time of this report.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided in the available data, users should monitor the PHP Group's advisories for updates. Until a fix is available, consider disabling the SOAP extension if it is not required or restricting access to SOAP endpoints to trusted users only to reduce exposure.