Heap Buffer Overflow in PHP Affects Multiple Versions
CVE-2025-14178

6.5MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 27 December 2025

What is CVE-2025-14178?

A heap buffer overflow vulnerability has been identified in specific versions of PHP that occurs in the array_merge() function when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE. This issue is triggered by an integer overflow during the precomputation of element counts using zend_hash_num_elements(). The vulnerability poses a risk of memory corruption or server crashes, ultimately affecting the integrity and availability of the targeted server.

Affected Version(s)

PHP 8.1.*

PHP 8.1.* < 8.1.34

PHP 8.2.* < 8.2.30

References

https://github.com/php/php-src/security/advisories/GHSA-h...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 6, 2025

Credit

Niels Dossche

JSON

PHP Group

What is CVE-2025-14178?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit