PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14355 php CVE debrief

CVE-2026-14355 is a buffer allocation flaw in the OpenSSL extension of PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, and 8.5.* before 8.5.8. The vulnerability causes OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort. This issue arises from the AES-WRAP-PAD algorithm implementation, which sizes the output buffer from the plaintext length without accounting for RFC 5649 expansion. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 5.6, with a Medium severity rating. The CVE was published on 2026-07-03T21:16:55.783Z and modified on 2026-07-04T16:17:14.033Z.

Vendor
php
Product
Unknown
CVSS
MEDIUM 5.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-04
Advisory published
2026-07-03
Advisory updated
2026-07-04

Who should care

PHP developers and administrators who maintain or use PHP versions 8.2.*, 8.3.*, 8.4.*, and 8.5.* should be aware of this vulnerability. Given the Medium severity and potential for application aborts, users of affected PHP versions should prioritize patching. Additionally, security teams monitoring for potential disruptions in PHP-based applications should note this CVE.

Technical summary

The buffer allocation flaw in the OpenSSL extension of PHP affects the AES-WRAP-PAD algorithm implementation. Specifically, the output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This oversight may cause OpenSSL to write beyond allocated memory, leading to heap metadata corruption and application aborts. The vulnerability has a CVSS score of 5.6 and a Medium severity rating. The affected PHP versions are 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, and 8.5.* before 8.5.8.

Defensive priority

Patching is recommended for PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, and 8.5.* before 8.5.8. Given the Medium severity, defenders should prioritize updating to the patched versions to prevent potential application aborts and disruptions.

Recommended defensive actions

  • Update PHP to version 8.2.32 or later for PHP 8.2.*
  • Update PHP to version 8.3.32 or later for PHP 8.3.*
  • Update PHP to version 8.4.23 or later for PHP 8.4.*
  • Update PHP to version 8.5.8 or later for PHP 8.5.*
  • Review and monitor PHP-based applications for potential disruptions

Evidence notes

The CVE-2026-14355 details are based on information from official sources, including the CVE record and NVD detail pages. The vulnerability affects multiple PHP versions and has a Medium severity rating. The evidence suggests that patching is necessary to prevent potential application aborts and disruptions.

Official resources

This article is AI-assisted and based on the supplied source corpus.