5.6

CVE-2026-14355

ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpPhp Version >= 8.2.0 < 8.2.32
PhpPhp Version >= 8.3.0 < 8.3.32
PhpPhp Version >= 8.4.0 < 8.4.23
PhpPhp Version >= 8.5.0 < 8.5.8
DebianDebian Linux Version12.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.31% 0.224
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
security@php.net 5.6 2.2 3.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

https://lists.debian.org/debian-lts-announce/2026/07/msg00010.html
Third Party Advisory
Mailing List
https://github.com/php/php-src/security/advisories/GHSA-7jrw-539f-x6vr
Vendor Advisory