Buffer Allocation Flaw in OpenSSL Extension in PHP Versions by PHP Group
CVE-2026-14355

5.6MEDIUM

Key Information:

Vendor

PHP

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-14355?

The OpenSSL extension in certain PHP versions contains a flaw in its implementation of the AES key-wrap-with-padding algorithm. This vulnerability arises from incorrect sizing of the output buffer, which is determined solely by the plaintext length without considering the necessary expansion as specified in RFC 5649. Consequently, this could lead to OpenSSL writing beyond the allocated memory, corrupting heap metadata and potentially resulting in application crashes.

Affected Version(s)

php 8.2.0

php 8.2.0 < 8.2.32

php 8.3.0 < 8.3.32

References

CVSS V3.1

Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Oleg Baturin
David CARLIER
.