Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Debian DLA |
DLA-4669-1 | php8.2 security update |
Debian DSA |
DSA-6377-1 | php8.4 security update |
Mon, 06 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 03 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Php
Php php |
|
| Vendors & Products |
Php
Php php |
Fri, 03 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort. | |
| Title | ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD | |
| Weaknesses | CWE-122 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: php
Published:
Updated: 2026-07-06T13:57:58.387Z
Reserved: 2026-07-01T17:52:41.706Z
Link: CVE-2026-14355
Updated: 2026-07-04T15:25:16.999Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T11:30:16Z
Debian DLA
Debian DSA