CVE-2026-12184
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-12184 is a remotely-triggerable Denial of Service (DoS) vulnerability in PHP's HTTP stream wrapper, specifically in the php_stream_url_wrap_http_ex function. When TLS crypto setup fails (e.g., due to peer name validation failure or an expired certificate), the stream is closed and reset to NULL, but the subsequent peer name cleanup block unconditionally attempts to dereference the now-NULL stream pointer, causing a segmentation fault. This affects PHP versions before 8.3.32, 8.4.21, and 8.5.6. The vulnerability was published on July 2, 2026, with a CVSS v4 base score of 8.2 (High) (GitHub Advisory).

Détails techniques

The root cause is a missing NULL check in ext/standard/http_fopen_wrapper.c at the peer name cleanup block following TLS setup failure. When php_stream_xport_crypto_setup or php_stream_xport_crypto_enable fails, the stream is closed and set to NULL; however, the code at line 579 unconditionally calls php_stream_context_unset_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_name") without first verifying that stream is non-NULL, resulting in a NULL pointer dereference and segfault (CWE-476). The vulnerability is triggerable without specially crafted code — a standard file_get_contents() call to an HTTPS URL via a proxy that causes TLS failure is sufficient, as demonstrated in the linked issue (GitHub Issue, GitHub Advisory).

Impact

Successful exploitation causes the entire PHP-FPM process to crash, bringing down all its workers and resulting in a complete availability loss for applications relying on that FPM pool. There is no confidentiality or integrity impact — the vulnerability is purely a DoS condition. Because FPM workers are all terminated together, any application using PHP-FPM for web serving would become entirely unavailable until the process is restarted (GitHub Advisory).

Étapes d’exploitation

  1. Identify target: Locate a PHP application (running PHP < 8.3.32, < 8.4.21, or < 8.5.6 with PHP-FPM) that makes outbound HTTPS requests using file_get_contents() or similar stream-based functions, optionally through a configurable proxy.
  2. Trigger TLS failure: Position a server or proxy such that the TLS handshake with the PHP application fails — for example, by presenting an expired certificate, a certificate with a mismatched peer name, or by acting as a man-in-the-middle that causes php_stream_xport_crypto_setup or php_stream_xport_crypto_enable to return failure.
  3. Induce NULL dereference: When TLS setup fails, PHP closes and NULLs the stream internally, then proceeds to call php_stream_context_unset_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_name") without a NULL check, causing a segmentation fault.
  4. Crash FPM workers: The segfault terminates the PHP-FPM process along with all its worker processes, rendering the application unavailable until FPM is restarted (GitHub Advisory, GitHub Issue).

Indicateurs de compromis

  • Logs: PHP-FPM error logs showing Segmentation fault or child ... exited on signal 11 (SIGSEGV) entries; system logs (/var/log/syslog or journalctl) recording repeated FPM process crashes.
  • Process: Sudden termination of all PHP-FPM worker processes; monitoring alerts for FPM pool unavailability or zero active workers.
  • Network: Repeated outbound HTTPS connections from the PHP server to an external host that consistently fail TLS handshake, potentially to an attacker-controlled or misconfigured server.

Atténuation et solutions de contournement

Upgrade PHP to the patched versions: 8.3.32, 8.4.21, or 8.5.6, which include the fix adding a NULL check before the peer name cleanup block (patch available via php-src PR #21031). As a temporary workaround, restrict PHP applications from making outbound HTTPS requests through untrusted proxies or to untrusted servers, and consider disabling proxy stream context options where not required. Monitoring and auto-restart of PHP-FPM can reduce downtime impact until patching is complete (GitHub Advisory, Remi's Blog).

Réactions de la communauté

The vulnerability was discovered using a hybrid static-dynamic analyzer being developed by the reporter (ndossche), who credited the tool in the advisory. The PHP security team rated it High severity and published the advisory on July 2, 2026. Remi's repository for Fedora and RHEL shipped updated PHP packages shortly after disclosure, and Debian also tracked the issue via OSV (Remi's Blog, GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-49289HIGH7.5
  • PHP logoPHP
  • simplesamlphp/saml2
NonOuiJul 02, 2026
CVE-2026-49284HIGH7.1
  • PHP logoPHP
  • simplesamlphp/simplesamlphp
NonOuiJul 02, 2026
CVE-2026-14355MEDIUM5.6
  • PHP logoPHP
  • php7.4
NonOuiJul 03, 2026
GHSA-j5mc-p8qg-39j7LOW1.3
  • PHP logoPHP
  • kimai/kimai
NonOuiJul 02, 2026
CVE-2026-12184NONEN/A
  • PHP logoPHP
  • php83
NonOuiJul 03, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités