CVE-2026-14355

EUVD-2026-41609
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
phpCNA
5.6 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
phpphp
8.2.0 ≤
𝑥
< 8.2.32
CNA
phpphp
8.3.0 ≤
𝑥
< 8.3.32
CNA
phpphp
8.4.0 ≤
𝑥
< 8.4.23
CNA
phpphp
8.5.0 ≤
𝑥
< 8.5.8
CNA
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
vulnerable
php8.2
bookworm
vulnerable
bookworm (security)
vulnerable
php8.4
forky
vulnerable
sid
8.4.23-1
fixed
trixie
vulnerable
trixie (security)
vulnerable