CVE-2026-14355
Received Received - Intake

Buffer Overflow in PHP OpenSSL Extension

Vulnerability report for CVE-2026-14355, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: PHP Group

Description

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
php php to 8.2.32 (exc)
php php to 8.3.32 (exc)
php php to 8.4.23 (exc)
php php to 8.5.8 (exc)
openssl openssl *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the AES-WRAP-PAD algorithm implementation within the OpenSSL extension of certain PHP versions. Specifically, the output buffer for the AES key-wrap-with-padding operation is allocated based on the plaintext length but does not account for the expansion defined by RFC 5649. As a result, OpenSSL may write beyond the allocated memory buffer, leading to heap metadata corruption and potentially causing the application to abort.

Impact Analysis

The vulnerability can cause memory corruption by writing beyond the allocated buffer, which may lead to application crashes or aborts. This can disrupt normal application functionality and potentially be exploited to affect the integrity and availability of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PHP to a fixed version where the issue is resolved. Specifically, update to PHP versions 8.2.32 or later, 8.3.32 or later, 8.4.23 or later, or 8.5.8 or later.

This vulnerability is related to the AES-WRAP-PAD algorithm implementation in the OpenSSL extension of PHP, so ensuring your PHP installation is updated will prevent the buffer allocation flaw from being exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14355. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart