CVE-2026-14355
MediumCVSS 5.6Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In the AES-WRAP-PAD algorithm implementation in the OpenSSL extension for PHP, there is a buffer allocation flaw. The output buffer for the key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion, which may cause out-of-bounds memory write.
Risk Assessment
The vulnerability can lead to heap corruption and application abort, resulting in denial of service (DoS) and potential data integrity compromise.
Recommendation
Immediately upgrade PHP to version 8.2.32, 8.3.32, 8.4.23, or 8.5.8 depending on the branch in use.
Original NVD description (English source)
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.

