
PEACH
Un cadre d’isolation des locataires
CVE-2026-14355 is a memory corruption vulnerability in PHP's ext/openssl extension, specifically triggered when using openssl_encrypt() with the AES-WRAP-PAD (AES key-wrap-with-padding) algorithm. The flaw causes a heap buffer overflow that corrupts Zend MM heap metadata, ultimately aborting the application. It affects PHP versions prior to 8.2.32, 8.3.32, 8.4.23, and 8.5.8. The vulnerability was published on July 2, 2026, with a CVSS v3.1 base score of 4.8 (Moderate) (GitHub Advisory).
The root cause is an incorrectly sized output buffer in the AES key-wrap-with-padding (RFC 5649) code path within PHP's OpenSSL extension. When openssl_encrypt() is called with AES-WRAP-PAD, the allocated zend_string buffer is sized based on the raw plaintext length, without accounting for RFC 5649 expansion: the ciphertext is roundup(len, 8) + 8 bytes, not simply a function of the input length. OpenSSL's EVP_EncryptUpdate/EVP_EncryptFinal then writes the full wrapped output past the end of the undersized heap allocation, corrupting adjacent Zend MM heap metadata (CWE not formally assigned). The corruption manifests as a zend_mm_heap corrupted abort on a subsequent allocator operation rather than at the moment of overflow (GitHub Advisory, GitHub Issue).
Successful exploitation causes the PHP application to abort due to heap metadata corruption, resulting in a Denial of Service (DoS). There is also a low confidentiality impact, as heap corruption can in some scenarios expose adjacent memory contents. The vulnerability is limited in scope (Unchanged) and has no integrity impact. Because AES-WRAP-PAD is a rarely used algorithm, the attack surface is narrow, but any application exposing this code path to attacker-controlled input is at risk (GitHub Advisory).
openssl_encrypt() with the aes-128-wrap-pad, aes-192-wrap-pad, or aes-256-wrap-pad cipher method and accepts attacker-influenced plaintext input.openssl_encrypt() call such that the AES-WRAP-PAD expansion (roundup(len, 8) + 8) exceeds the allocated buffer size, triggering the heap overflow.EVP_EncryptUpdate/EVP_EncryptFinal functions write beyond the undersized zend_string buffer, corrupting adjacent Zend MM heap metadata.zend_mm_heap corrupted error, causing application downtime (GitHub Advisory, GitHub Issue).zend_mm_heap corrupted fatal errors or unexpected PHP-FPM/CLI process crashes.openssl_encrypt() with AES-WRAP-PAD cipher modes (aes-128-wrap-pad, aes-192-wrap-pad, aes-256-wrap-pad) (GitHub Advisory).PHP has released patched versions 8.2.32, 8.3.32, 8.4.23, and 8.5.8 which fix the buffer sizing issue in the AES-WRAP-PAD code path. Administrators should upgrade to one of these versions as the primary remediation. As a workaround where upgrading is not immediately possible, avoid using AES-WRAP-PAD (aes-*-wrap-pad) cipher modes in openssl_encrypt() calls, substituting alternative authenticated encryption algorithms (GitHub Advisory, Remi's Blog).
The vulnerability was reported by olegbaturin via a GitHub issue on May 29, 2026, and the security advisory was published by PHP maintainer bukka on July 2, 2026. The Remi repository for Fedora and RHEL shipped updated PHP packages shortly after the release. Coverage has been limited to package maintainer blogs and vulnerability tracking services, consistent with the moderate severity and narrow attack surface of the flaw (Remi's Blog, GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."