Buffer Allocation Flaw in OpenSSL Extension in PHP Versions by PHP Group
CVE-2026-14355
5.6MEDIUM
What is CVE-2026-14355?
The OpenSSL extension in certain PHP versions contains a flaw in its implementation of the AES key-wrap-with-padding algorithm. This vulnerability arises from incorrect sizing of the output buffer, which is determined solely by the plaintext length without considering the necessary expansion as specified in RFC 5649. Consequently, this could lead to OpenSSL writing beyond the allocated memory, corrupting heap metadata and potentially resulting in application crashes.
Affected Version(s)
php 8.2.0
php 8.2.0 < 8.2.32
php 8.3.0 < 8.3.32