CVE-2026-14355

MEDIUM

ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD

Title source: cna
STIX 2.1

Description

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory GHSA-7jrw-539f-x6vr
https://github.com/php/php-src/security/advisories/GHSA-7jrw-539f-x6vr

Scores

CVSS v3 5.6
EPSS 0.0031
EPSS Percentile 22.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-122
Status published
Products (5)
debian/debian_linux 12.0
php/php 8.2.0 - 8.2.32 (2 CPE variants)
php/php 8.3.0 - 8.3.32
php/php 8.4.0 - 8.4.23
php/php 8.5.0 - 8.5.8
Published Jul 03, 2026
Tracked Since Jul 04, 2026