PT-2026-55488 · Php · Php
David Carlier
+1
·
Published
2026-07-02
·
Updated
2026-07-03
·
CVE-2026-14355
CVSS v3.1
5.6
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
PHP versions 8.2.0 through 8.2.31
PHP versions 8.3.0 through 8.3.31
PHP versions 8.4.0 through 8.4.22
PHP versions 8.5.0 through 8.5.7
Description
The OpenSSL extension contains a buffer allocation flaw in the AES-WRAP-PAD algorithm implementation. The output buffer for the AES key-wrap-with-padding operation is sized based on the plaintext length but fails to account for RFC 5649 expansion. This can lead to writing beyond the allocated memory, which corrupts heap metadata and may cause the application to abort. This issue occurs within the
openssl encrypt() function.Recommendations
Update PHP version 8.2.x to 8.2.32
Update PHP version 8.3.x to 8.3.32
Update PHP version 8.4.x to 8.4.23
Update PHP version 8.5.x to 8.5.8
Fix
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Php