CVE-2025-14178

EUVD-2025-205485

27.12.2025, 20:15

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
php	CNA	6.5 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
php	php	8.1.0 ≤ 𝑥 < 8.1.34
php	php	8.2.0 ≤ 𝑥 < 8.2.30
php	php	8.3.0 ≤ 𝑥 < 8.3.29
php	php	8.4.0 ≤ 𝑥 < 8.4.16
php	php	8.5.0 ≤ 𝑥 < 8.5.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

php7.4

bullseye	vulnerable
bullseye (security)	7.4.33-1+deb11u10 fixed

php8.2

bookworm	vulnerable
bookworm (security)	vulnerable

php8.4

forky	8.4.16-1 fixed
sid	8.4.16-1 fixed
trixie	vulnerable
trixie (security)	8.4.16-1~deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

php5

jammy	dne
noble	dne
plucky	dne
questing	dne
trusty	not-affected

php7.0

jammy	dne
noble	dne
plucky	dne
questing	dne
xenial	not-affected

php7.2

bionic	Fixed 7.2.24-0ubuntu0.18.04.17+esm12 released
jammy	dne
noble	dne
plucky	dne
questing	dne

php7.4

focal	Fixed 7.4.3-4ubuntu2.29+esm3 released
jammy	dne
noble	dne
plucky	dne
questing	dne

php8.1

jammy	Fixed 8.1.2-1ubuntu2.23 released
noble	dne
plucky	dne
questing	dne

php8.3

jammy	dne
noble	Fixed 8.3.6-0ubuntu0.24.04.6 released
plucky	dne
questing	dne

php8.4

jammy	dne
noble	dne
plucky	Fixed 8.4.5-1ubuntu1.2 released
questing	Fixed 8.4.11-1ubuntu1.1 released

Common Weakness Enumeration

CWE-190 - Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Vulnerability Media Exposure

[GERMAN] PHP: Mehrere Schwachstellen
Ein entfernter Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, um einen Server-Side Request-Forgery Angriff ausführen oder nicht bekannte Auswirkungen erzielen.
Published: 2025-12-18T23:00:00+00:00

References

https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2

https://lists.debian.org/debian-lts-announce/2026/01/msg00019.html