Malformed input can lead to use after free and out of bounds memory errors.
This has been fixed with the latest updates of PHP (7.1.26/7.2.14/7.3.1).
(Note: I reported those as separate bugs to PHP, but they had the same underlying bug and were fixed by the same commit. The release notes only mention “out of bounds read”, but this is misleading, as a use after free error is potentially more severe.)
Bugs reported to PHP:
https://bugs.php.net/bug.php?id=77242
https://bugs.php.net/bug.php?id=77249
If the xmlrpc functionality of PHP is used to parse untrusted input from a public API point it can potentially be used to gain code execution.