CVE-2026-14355 MEDIUM

CVE-2026-14355: ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD

Vendor Php
Product php
Weakness CWE-122
Published July 3, 2026
Last update July 4, 2026

CVSS base score

5.6/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

Key dates

02Disclosure timeline

July 3, 2026 CVE published
July 4, 2026 Record updated