CVE Catalog

CVE-2026-14355

MediumCVSS 5.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

In the AES-WRAP-PAD algorithm implementation in the OpenSSL extension for PHP, there is a buffer allocation flaw. The output buffer for the key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion, which may cause out-of-bounds memory write.

Risk Assessment

The vulnerability can lead to heap corruption and application abort, resulting in denial of service (DoS) and potential data integrity compromise.

Recommendation

Immediately upgrade PHP to version 8.2.32, 8.3.32, 8.4.23, or 8.5.8 depending on the branch in use.

Original NVD description (English source)

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS