CVE-2026-14355 in PHPinfo

Summary

by MITRE • 07/04/2026

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability affects PHP installations using the OpenSSL extension with specific version ranges across multiple PHP branches including 8.2.x before 8.2.32, 8.3.x before 8.3.32, 8.4.x before 8.4.23, and 8.5.x before 8.5.8. The issue resides in the AES-WRAP-PAD algorithm implementation which is part of the OpenSSL cryptographic functions available to PHP applications. When processing AES key-wrap-with-padding operations, the extension incorrectly calculates buffer sizes based solely on the plaintext length without considering the additional padding requirements defined in RFC 5649 standards.

The technical flaw manifests as an insufficient buffer allocation during the AES-WRAP-PAD operation where the output buffer size is determined by the original plaintext length rather than accounting for the expanded size required by the RFC 5649 padding scheme. This padding algorithm requires that the encrypted data be padded to a multiple of 8 bytes, and when combined with the key-wrapping process, the final output size exceeds what was initially allocated. The buffer overflow occurs because OpenSSL writes beyond the pre-allocated memory boundaries, leading to heap corruption that can result in application crashes or potentially more severe consequences.

The operational impact of this vulnerability extends beyond simple application instability as it represents a critical memory corruption issue that can be exploited by attackers who control the input data to the AES-WRAP-PAD function. This flaw falls under CWE-122, heap-based buffer overflow, and aligns with ATT&CK technique T1059.007 for execution through scripting. The vulnerability is particularly concerning because it affects a core cryptographic operation that many PHP applications depend upon for secure data handling, potentially allowing attackers to cause denial of service or, in more sophisticated scenarios, achieve memory corruption that could lead to arbitrary code execution depending on the application context and memory layout.

The recommended mitigations include immediate upgrade to patched PHP versions where the buffer allocation logic has been corrected to properly account for RFC 5649 padding requirements. Organizations should also implement monitoring for any unusual application behavior or crashes related to cryptographic operations, particularly those involving key-wrapping functions. Additionally, developers should validate input data sizes and consider implementing additional defensive programming practices when using OpenSSL encryption functions, though the primary fix must come from updating to patched PHP versions that address the root cause buffer allocation issue.

Responsible

Php

Reservation

07/01/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00276

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!