๐Ÿ” CVE Alert

CVE-2026-14355

MEDIUM 5.6

ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD

CVSS Score
5.6
EPSS Score
0.0%
EPSS Percentile
0th

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

CWE CWE-122
Vendor php
Product php
Ecosystems
Industries
Technology
Published Jul 3, 2026
Last Updated Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for php php

Be the first to know when new medium vulnerabilities affecting php php are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Affected Versions

php / php
8.2.0 < 8.2.32 8.3.0 < 8.3.32 8.4.0 < 8.4.23 8.5.0 < 8.5.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/php/php-src/security/advisories/GHSA-7jrw-539f-x6vr

Credits

Oleg Baturin David CARLIER