CVE-2026-7261

SOAP persistence leads to use-after-free

Publication Date 2026-05-10
Severity Moderate
Type Information Disclosure
Affected PHP Versions
  • 7.1.0-7.1.33
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.34
  • 8.2.0-8.2.30
  • 8.3.0-8.3.30
  • 8.4.0-8.4.20
  • 8.5.0-8.5.5
Fixed Product Versions
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendPHP 8.5
  • ZendServer 2021.4.5

CVE Details

When SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, when SOAP requests result in an error, the persistence is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which leads to a use-after-free vulnerability. This can result in memory corruption, disclosure of sensitive information from memory, or process crashes.

Recommendations

Consider whether or not SOAP_PERSISTENCE_SESSION is required for your application, and disable it if not. If session persistence is required, consider implementing it via other mechanisms (e.g. using a SOAP variable to store the session identifier). Otherwise, consider updating to a patched version of PHP.