Three CVEs landed on my feed last week and each one tells a different story about attack surface. The PHP SOAP RCE is the headline grabber with a 9.8 CVSS and exploit code in the wild. The Dell BIOS password flaw is quieter but physically recoverable in milliseconds. And the Comfast router OS injection is the kind of thing that reminds you IoT firmware still ships with command injection bugs in 2026. I want to walk through each one, what it means for defenders, and what you should actually do.
CVE-2026-6722: PHP SOAP use-after-free with working exploit
This is the one you need to patch today. CVE-2026-6722 is a use-after-free in PHP's SOAP extension, CVSS 9.8 from NIST, 9.5 from the PHP Group. Researcher Brett Gervasoni published a working proof-of-concept within days of the patch. Automated scanning for SOAP endpoints spiked within 72 hours of disclosure, according to Falcon Internet Blog's coverage. The patching window was effectively zero.
The vulnerability lives in soap_add_xml_ref() inside ext/soap/php_encoding.c. PHP's SOAP extension maintains a global reference map called SOAP_GLOBAL(ref_map) that stores pointers to PHP objects for deduplication during request processing. The problem is it stores those pointers without incrementing the objects' reference counts. When the extension encounters duplicate keys inside an apache:Map node in a SOAP request, it frees the first object while leaving a live dangling pointer in the map. An attacker who controls the SOAP request body can then craft a follow-up allocation to place attacker-controlled data into that freed memory region and dereference the dangling pointer to achieve remote code execution.
The CWE classifications are CWE-416 (Use After Free) and CWE-825 (Expired Pointer Dereference). Gervasoni's PoC uses a SOAP XML envelope with duplicate-key Apache map structures to trigger the condition reliably. This is not a theoretical edge case. It is a reproducible attack against any reachable PHP application that loads the SOAP extension and processes external requests.
The same patch batch also closed two related SOAP flaws: CVE-2026-7261 (use-after-free in SoapServer when session persistence hits a header-parsing error, CVSS 6.3) and CVE-2026-7262 (broken NULL check in Apache map value handling, CVSS 6.3). And if you use openssl_encrypt() with AES-WRAP-PAD cipher mode, there is also CVE-2026-14355 in the same release cycle, a heap memory corruption that could lead to process corruption or RCE depending on context.
The only complete fix is upgrading PHP. There is no configuration-only workaround if your application uses SOAP. Check your version immediately: php -v on the command line, or find your PHP version in cPanel's MultiPHP Manager, Plesk's PHP Settings, or DirectAdmin's PHP Version Manager. If you are below PHP 8.2.31, 8.3.31, 8.4.21, or 8.5.6, you are exposed. Upgrade to a patched branch. If you cannot upgrade immediately, check whether SOAP is even loaded: php -m | grep -i soap. If SOAP does not appear, you are not exposed via this vector. If it does and you do not need it, comment out extension=soap in php.ini.
Review logs for unusual POST traffic targeting .php endpoints with Content-Type: text/xml or application/soap+xml. Elevated traffic with malformed payloads may indicate active scanning. Managed server environments with consistent PHP patch cycles generally reached patched versions within hours. The businesses that will hurt are the ones running unmanaged PHP on hosting they have not looked at in six months. With automated exploit kits already scanning, that window is closing fast.
CVE-2026-40639: Dell BIOS passwords recovered from SPI flash in milliseconds
The Dell BIOS password flaw (CVE-2026-40639, DSA-2026-197) is a different kind of attack. It requires physical access to the flash chip via a clip and programmer, or booting an attacker-controlled OS. But once you have that access, recovery takes milliseconds with no brute force required.
The vulnerability is in how Dell stores BIOS administrator and user passwords in the DVAR (Dell Variable) region of the SPI flash chip. Instead of using a proper cryptographic hash, Dell uses a repeating 20-byte XOR key applied to a 32-byte field. The first character of the password is stored completely unencrypted. For any password of 12 characters or fewer, the unused, null-padded tail of the 32-byte field ends up XORed against zero, which simply reveals raw key bytes. Since the key is only 20 bytes but the field is 32, this mismatch leaks the entire key directly from the record, letting attackers reverse the password instantly.
There are just 256 possible keys per device. Old, deleted DVAR records are not securely erased, so an attacker can often recover an older short password, extract its key, and apply it to a longer current password sharing the same first letter.
The flaw was discovered by researchers Craig S. Blackie (MDSec) and Darren McDonald (AmberWolf) while probing Dell UEFI firmware for unrelated pre-boot DMA vulnerabilities. It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, supported Wyse 5070 thin client, which remains unpatched.
Dell issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms (Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines), with additional fixes targeted for the end of July 2026. The advisory does not yet cover the Wyse 5070 or several other confirmed-vulnerable devices. The researchers recommend Dell move to salted, iterated password hashing across all platforms and securely erase historical DVAR records. For defenders, the takeaway is not to rely on BIOS passwords alone to protect encrypted boot chains. If someone can physically touch the flash chip, they can get your password.
CVE-2026-15511: Comfast router OS command injection
This one is short but worth noting. CVE-2026-15511 affects Comfast CF-WR631AX V3 up to firmware version 2.7.0.8. It is an OS command injection vulnerability that can be triggered remotely. The NVD entry (nvd.nist.gov) confirms remote attack initiation. I have not seen a public PoC yet, but command injection in IoT routers is a well-worn path. Many consumer and small-business routers ship with web interfaces that pass user input directly into system() or exec() calls. If you own a Comfast router, check the firmware version and apply any updates. If updates are not available, consider replacing the device. Routers with unpatched command injection are a reliable entry point for lateral movement into a network.
What to do right now
Prioritize PHP patching. Run php -v and check your version. If you are on a managed host, confirm they applied the update. If you run your own servers, upgrade. Then check whether you have any Comfast routers on your network and apply firmware updates. For the Dell BIOS issue, if you manage Dell hardware, check the DSA-2026-197 advisory and verify whether your models are covered. If you are using BIOS passwords to protect disk encryption keys or boot integrity, consider that the protection is weaker than it looks.
The PHP SOAP vulnerability is the one that will cause the most damage because it is remote, unauthenticated, and already exploited. The Dell BIOS flaw is more constrained but reveals a design failure in password storage that should not exist in 2026. The Comfast router injection is a reminder that the low-end IoT market still ships firmware that treats user input as code. None of these are new patterns. They keep happening because the same mistakes get repeated.