CVE-2026-46629

Name of the Vulnerable Software and Affected Versions twig/intl-extra (affected versions not specified)

Description IntlExtension memoises every IntlDateFormatter and NumberFormatter it creates in instance-level arrays. These arrays are keyed on a hash including locale, pattern, and attrs, which are named arguments for the format datetime, format date, format time, format number, and format currency filters. Because there is no size limit or eviction process, a template iterating over many distinct values allocates one ICU formatter object per value, pinning it for the lifetime of the TwigEnvironment. Since ICU allocates backing buffers outside the Zend memory manager, this growth is not restricted by memory limit. In long-running runtimes such as RoadRunner, Swoole, FrankenPHP worker mode, or ReactPHP, the cache accumulates across multiple requests.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.