CVE-2026-14355
ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
CVSS Score
5.6
EPSS Score
0.0%
EPSS Percentile
0th
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
| CWE | CWE-122 |
| Vendor | php |
| Product | php |
| Ecosystems | |
| Industries | Technology |
| Published | Jul 3, 2026 |
| Last Updated | Jul 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for php php
Be the first to know when new medium vulnerabilities affecting php php are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
php / php
8.2.0 < 8.2.32 8.3.0 < 8.3.32 8.4.0 < 8.4.23 8.5.0 < 8.5.8
References
Credits
Oleg Baturin David CARLIER