OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • php
  • deserialization
  • soap
  • exploitarium

news

PHP 8.5.7 StreamBucket SOAP Numeric Cookie RCE

StreamBucket type confusion chains to fake HashTable write and zend_execute_internal hook — marker PHP857_RCE validated locally.

Summary

StreamBucket type confusion chains to fake HashTable write and zend_execute_internal hook — marker PHP857_RCE validated locally. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetPHP 8.5.7
PrimitiveInternal property confusion → HashTable overwrite → zif_system
ImpactRemote/locale-dependent RCE in PHP process parsing attacker-controlled SOAP path.

Attack Chain

rpoc.php StreamBucket trigger → overwrite_returned → marker file

Mitigation

Upgrade PHP when security release available; disable SOAP where unused.

Related Signals

Sources

→ Source