
PEACH
Un cadre d’isolation des locataires
CVE-2026-12184 is a remotely-triggerable Denial of Service (DoS) vulnerability in PHP's HTTP stream wrapper, specifically in the php_stream_url_wrap_http_ex function. When TLS crypto setup fails (e.g., due to peer name validation failure or an expired certificate), the stream is closed and reset to NULL, but the subsequent peer name cleanup block unconditionally attempts to dereference the now-NULL stream pointer, causing a segmentation fault. This affects PHP versions before 8.3.32, 8.4.21, and 8.5.6. The vulnerability was published on July 2, 2026, with a CVSS v4 base score of 8.2 (High) (GitHub Advisory).
The root cause is a missing NULL check in ext/standard/http_fopen_wrapper.c at the peer name cleanup block following TLS setup failure. When php_stream_xport_crypto_setup or php_stream_xport_crypto_enable fails, the stream is closed and set to NULL; however, the code at line 579 unconditionally calls php_stream_context_unset_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_name") without first verifying that stream is non-NULL, resulting in a NULL pointer dereference and segfault (CWE-476). The vulnerability is triggerable without specially crafted code — a standard file_get_contents() call to an HTTPS URL via a proxy that causes TLS failure is sufficient, as demonstrated in the linked issue (GitHub Issue, GitHub Advisory).
Successful exploitation causes the entire PHP-FPM process to crash, bringing down all its workers and resulting in a complete availability loss for applications relying on that FPM pool. There is no confidentiality or integrity impact — the vulnerability is purely a DoS condition. Because FPM workers are all terminated together, any application using PHP-FPM for web serving would become entirely unavailable until the process is restarted (GitHub Advisory).
file_get_contents() or similar stream-based functions, optionally through a configurable proxy.php_stream_xport_crypto_setup or php_stream_xport_crypto_enable to return failure.php_stream_context_unset_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_name") without a NULL check, causing a segmentation fault.Segmentation fault or child ... exited on signal 11 (SIGSEGV) entries; system logs (/var/log/syslog or journalctl) recording repeated FPM process crashes.Upgrade PHP to the patched versions: 8.3.32, 8.4.21, or 8.5.6, which include the fix adding a NULL check before the peer name cleanup block (patch available via php-src PR #21031). As a temporary workaround, restrict PHP applications from making outbound HTTPS requests through untrusted proxies or to untrusted servers, and consider disabling proxy stream context options where not required. Monitoring and auto-restart of PHP-FPM can reduce downtime impact until patching is complete (GitHub Advisory, Remi's Blog).
The vulnerability was discovered using a hybrid static-dynamic analyzer being developed by the reporter (ndossche), who credited the tool in the advisory. The PHP security team rated it High severity and published the advisory on July 2, 2026. Remi's repository for Fedora and RHEL shipped updated PHP packages shortly after disclosure, and Debian also tracked the issue via OSV (Remi's Blog, GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."