Which versions of PHP 8.2 are affected by EUVD-2026-28966?

PHP 8.2.x contains a critical use-after-free vulnerability (CVE-2026-6722, CVSS 9.5) that enables remote code execution with potential impact to confidentiality, integrity, and availability across…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-28966?

Yes, a public proof-of-concept exploit is available for EUVD-2026-28966. Prioritise patching immediately. EPSS: 0.3%.

PHP 8.2 EUVD-2026-28966

Q: What is the CVSS score of EUVD-2026-28966?

EUVD-2026-28966 has a CVSS 4.0 base score of 9.5 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red. EPSS exploitation probability: 0.3%.

| CVE-2026-6722 CRITICAL

Use After Free (CWE-416)

2026-05-07

PHP Information Disclosure Use After Free Memory Corruption Microsoft Suse

9.5

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Red

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 10, 2026 - 05:24 vuln.today

Analysis Generated

May 10, 2026 - 05:24 vuln.today

CVSS changed

May 10, 2026 - 05:22 NVD

9.5 (CRITICAL)

CVE Published

May 07, 2026 - 17:18 nvd

UNKNOWN (no severity yet)

CVE Published

May 07, 2026 - 17:18 nvd

CRITICAL 9.5

Description PRE-NVD

Disclosed via GitHub release of php/php-src. NVD scoring and full description are pending.

AnalysisAI

Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. …

RemediationAI

Within 24 hours: Inventory all PHP 8.2.x deployments in production and pre-production environments and classify by criticality. Within 7 days: Test PHP 8.2.31 (or later stable release) in a staging environment mirroring production configuration, including dependent extensions and frameworks. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory