CVE-2026-14355
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-14355 is a memory corruption vulnerability in PHP's ext/openssl extension, specifically triggered when using openssl_encrypt() with the AES-WRAP-PAD (AES key-wrap-with-padding) algorithm. The flaw causes a heap buffer overflow that corrupts Zend MM heap metadata, ultimately aborting the application. It affects PHP versions prior to 8.2.32, 8.3.32, 8.4.23, and 8.5.8. The vulnerability was published on July 2, 2026, with a CVSS v3.1 base score of 4.8 (Moderate) (GitHub Advisory).

Détails techniques

The root cause is an incorrectly sized output buffer in the AES key-wrap-with-padding (RFC 5649) code path within PHP's OpenSSL extension. When openssl_encrypt() is called with AES-WRAP-PAD, the allocated zend_string buffer is sized based on the raw plaintext length, without accounting for RFC 5649 expansion: the ciphertext is roundup(len, 8) + 8 bytes, not simply a function of the input length. OpenSSL's EVP_EncryptUpdate/EVP_EncryptFinal then writes the full wrapped output past the end of the undersized heap allocation, corrupting adjacent Zend MM heap metadata (CWE not formally assigned). The corruption manifests as a zend_mm_heap corrupted abort on a subsequent allocator operation rather than at the moment of overflow (GitHub Advisory, GitHub Issue).

Impact

Successful exploitation causes the PHP application to abort due to heap metadata corruption, resulting in a Denial of Service (DoS). There is also a low confidentiality impact, as heap corruption can in some scenarios expose adjacent memory contents. The vulnerability is limited in scope (Unchanged) and has no integrity impact. Because AES-WRAP-PAD is a rarely used algorithm, the attack surface is narrow, but any application exposing this code path to attacker-controlled input is at risk (GitHub Advisory).

Étapes d’exploitation

  1. Identify target: Find a PHP application (running PHP < 8.2.32, < 8.3.32, < 8.4.23, or < 8.5.8) that calls openssl_encrypt() with the aes-128-wrap-pad, aes-192-wrap-pad, or aes-256-wrap-pad cipher method and accepts attacker-influenced plaintext input.
  2. Craft malicious input: Supply plaintext data to the vulnerable openssl_encrypt() call such that the AES-WRAP-PAD expansion (roundup(len, 8) + 8) exceeds the allocated buffer size, triggering the heap overflow.
  3. Trigger corruption: The OpenSSL EVP_EncryptUpdate/EVP_EncryptFinal functions write beyond the undersized zend_string buffer, corrupting adjacent Zend MM heap metadata.
  4. Achieve DoS: On a subsequent memory allocation or deallocation, the PHP allocator detects the corrupted bookkeeping and aborts the process with a zend_mm_heap corrupted error, causing application downtime (GitHub Advisory, GitHub Issue).

Indicateurs de compromis

  • Logs: PHP error logs or system logs containing zend_mm_heap corrupted fatal errors or unexpected PHP-FPM/CLI process crashes.
  • Process: Unexpected termination of PHP worker processes (PHP-FPM pool workers restarting) without a clear application-level exception.
  • Application: Repeated or targeted requests to application endpoints that invoke openssl_encrypt() with AES-WRAP-PAD cipher modes (aes-128-wrap-pad, aes-192-wrap-pad, aes-256-wrap-pad) (GitHub Advisory).

Atténuation et solutions de contournement

PHP has released patched versions 8.2.32, 8.3.32, 8.4.23, and 8.5.8 which fix the buffer sizing issue in the AES-WRAP-PAD code path. Administrators should upgrade to one of these versions as the primary remediation. As a workaround where upgrading is not immediately possible, avoid using AES-WRAP-PAD (aes-*-wrap-pad) cipher modes in openssl_encrypt() calls, substituting alternative authenticated encryption algorithms (GitHub Advisory, Remi's Blog).

Réactions de la communauté

The vulnerability was reported by olegbaturin via a GitHub issue on May 29, 2026, and the security advisory was published by PHP maintainer bukka on July 2, 2026. The Remi repository for Fedora and RHEL shipped updated PHP packages shortly after the release. Coverage has been limited to package maintainer blogs and vulnerability tracking services, consistent with the moderate severity and narrow attack surface of the flaw (Remi's Blog, GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-49289HIGH7.5
  • PHP logoPHP
  • simplesamlphp/saml2
NonOuiJul 02, 2026
CVE-2026-49284HIGH7.1
  • PHP logoPHP
  • simplesamlphp/simplesamlphp
NonOuiJul 02, 2026
CVE-2026-14355MEDIUM5.6
  • PHP logoPHP
  • php7.4
NonOuiJul 03, 2026
GHSA-j5mc-p8qg-39j7LOW1.3
  • PHP logoPHP
  • kimai/kimai
NonOuiJul 02, 2026
CVE-2026-12184NONEN/A
  • PHP logoPHP
  • php83
NonOuiJul 03, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités