CVE-2025-14178 MEDIUM

CVE-2025-14178: Heap buffer overflow in array_merge()

Vendor Php Group

Product PHP

Weakness CWE-787

Published December 27, 2025

Last update January 24, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

Key dates

02Disclosure timeline

December 27, 2025 CVE published

January 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-14178 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/787.html

Related vulnerabilities

Identifiers

CVE CVE-2025-14178

CWE CWE-787

CVSS 6.5 / MEDIUM

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.1.* and < 8.1.34

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.30

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.29

Vendor Php Group

Product PHP

Affected ≥ 8.4.* and < 8.4.16

Vendor Php Group

Product PHP

Affected ≥ 8.5.* and < 8.5.1

CVE-2025-14178: Heap buffer overflow in array_merge()

01Description

02Disclosure timeline

03References

04Related CVE