CVE-2026-14355
MEDIUMext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
Title source: cnaDescription
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory GHSA-7jrw-539f-x6vr
https://github.com/php/php-src/security/advisories/GHSA-7jrw-539f-x6vr
Scores
CVSS v3
5.6
EPSS
0.0031
EPSS Percentile
22.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-122
Status
published
Products (5)
debian/debian_linux
12.0
php/php
8.2.0 - 8.2.32 (2 CPE variants)
php/php
8.3.0 - 8.3.32
php/php
8.4.0 - 8.4.23
php/php
8.5.0 - 8.5.8
Published
Jul 03, 2026
Tracked Since
Jul 04, 2026