- Product: php
- Vulnerabilities: 1 flaw (CVE-2026-14355)
- Highest severity: 5.6 (Medium · CVSSv3)
- Worst impact: ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
- Status: No confirmed exploitation yet; patches available
- Action: Update to 8.2.32, 8.3.32, 8.4.23, 8.5.8 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-14355 | 5.6 | CWE-122 | 8.2.32, 8.3.32, 8.4.23 (+1) | Not exploited |
TL;DR
The PHP team fixed two flaws, including a PHP remote DoS that can crash a whole PHP-FPM pool. CVE-2026-12184 (CVSS 8.2) triggers on a failed TLS handshake with a remote server. A second bug, CVE-2026-14355 (CVSS 4.8), corrupts heap memory during a rare OpenSSL operation.
Why It Matters
PHP-FPM runs many high-traffic websites, so its stability matters widely. So one crash can take down every worker at once. CVE-2026-12184 needs no crafted payload, and a remote server can set it off. That makes this PHP remote DoS easy to trigger, whether by accident or on purpose. The OpenSSL bug scores lower because it needs a rare code path. Still, both deserve a prompt update. So far, no in-the-wild exploitation has been reported for either flaw.
How the Attacks Work
TLS cleanup crash (CVE-2026-12184)
When an HTTPS stream fails its TLS setup, PHP closes the stream and sets it to NULL. However, the next cleanup step still tries to reset the peer name on that dead stream. As the PHP advisory for CVE-2026-12184 explains, an expired or invalid certificate is enough to reach the fault.
OpenSSL heap overflow (CVE-2026-14355)
The openssl_encrypt function sizes its output buffer from the input length. Yet AES key-wrap-with-padding adds bytes, so OpenSSL writes past that buffer. The advisory for CVE-2026-14355 notes the overflow then corrupts Zend heap metadata. Only apps that call this rare algorithm are exposed.
Affected Versions
CVE-2026-12184 affects PHP before 8.3.32, 8.4.21, and 8.5.6. Meanwhile, CVE-2026-14355 affects PHP before 8.2.32, 8.3.32, 8.4.23, and 8.5.8.
Patch and Mitigation
Update PHP to the fixed release for your branch. The TLS fix lands in 8.3.32, 8.4.21, and 8.5.6. The OpenSSL fix lands in 8.2.32, 8.3.32, 8.4.23, and 8.5.8. No workaround matches a real patch here. Admins on 8.3 through 8.5 should prioritize the PHP remote DoS fix.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.