PT-2026-55488 · Php · Php

David Carlier

+1

·

Published

2026-07-02

·

Updated

2026-07-03

·

CVE-2026-14355

CVSS v3.1

5.6

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.31 PHP versions 8.3.0 through 8.3.31 PHP versions 8.4.0 through 8.4.22 PHP versions 8.5.0 through 8.5.7
Description The OpenSSL extension contains a buffer allocation flaw in the AES-WRAP-PAD algorithm implementation. The output buffer for the AES key-wrap-with-padding operation is sized based on the plaintext length but fails to account for RFC 5649 expansion. This can lead to writing beyond the allocated memory, which corrupts heap metadata and may cause the application to abort. This issue occurs within the openssl encrypt() function.
Recommendations Update PHP version 8.2.x to 8.2.32 Update PHP version 8.3.x to 8.3.32 Update PHP version 8.4.x to 8.4.23 Update PHP version 8.5.x to 8.5.8

Fix

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14355

Affected Products

Php