From db2a7f9348fd5dda5fd162061786a664c417bf5b Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after header
 parsing failure with SOAP_PERSISTENCE_SESSION

Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261
---
 ext/soap/soap.c                         | 12 ++++-
 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 58 +++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt

Index: php-7.4.33/ext/soap/soap.c
===================================================================
--- php-7.4.33.orig/ext/soap/soap.c
+++ php-7.4.33/ext/soap/soap.c
@@ -1807,13 +1807,21 @@ PHP_METHOD(SoapServer, handle)
 					php_output_discard();
 					soap_server_fault_ex(function, &h->retval, h);
 					efree(fn_name);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				} else if (EG(exception)) {
 					php_output_discard();
 					_soap_server_exception(service, function, ZEND_THIS);
 					efree(fn_name);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				}
 			} else if (h->mustUnderstand) {