PatchSiren cyber security CVE debrief
CVE-2026-14355 php CVE debrief
CVE-2026-14355 is a buffer allocation flaw in the OpenSSL extension of PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, and 8.5.* before 8.5.8. The vulnerability causes OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort. This issue arises from the AES-WRAP-PAD algorithm implementation, which sizes the output buffer from the plaintext length without accounting for RFC 5649 expansion. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 5.6, with a Medium severity rating. The CVE was published on 2026-07-03T21:16:55.783Z and modified on 2026-07-04T16:17:14.033Z.
- Vendor
- php
- Product
- Unknown
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-04
Who should care
PHP developers and administrators who maintain or use PHP versions 8.2.*, 8.3.*, 8.4.*, and 8.5.* should be aware of this vulnerability. Given the Medium severity and potential for application aborts, users of affected PHP versions should prioritize patching. Additionally, security teams monitoring for potential disruptions in PHP-based applications should note this CVE.
Technical summary
The buffer allocation flaw in the OpenSSL extension of PHP affects the AES-WRAP-PAD algorithm implementation. Specifically, the output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This oversight may cause OpenSSL to write beyond allocated memory, leading to heap metadata corruption and application aborts. The vulnerability has a CVSS score of 5.6 and a Medium severity rating. The affected PHP versions are 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, and 8.5.* before 8.5.8.
Defensive priority
Patching is recommended for PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, and 8.5.* before 8.5.8. Given the Medium severity, defenders should prioritize updating to the patched versions to prevent potential application aborts and disruptions.
Recommended defensive actions
- Update PHP to version 8.2.32 or later for PHP 8.2.*
- Update PHP to version 8.3.32 or later for PHP 8.3.*
- Update PHP to version 8.4.23 or later for PHP 8.4.*
- Update PHP to version 8.5.8 or later for PHP 8.5.*
- Review and monitor PHP-based applications for potential disruptions
Evidence notes
The CVE-2026-14355 details are based on information from official sources, including the CVE record and NVD detail pages. The vulnerability affects multiple PHP versions and has a Medium severity rating. The evidence suggests that patching is necessary to prevent potential application aborts and disruptions.
Official resources
-
CVE-2026-14355 CVE record
CVE.org
-
CVE-2026-14355 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
This article is AI-assisted and based on the supplied source corpus.