PHP 8.2-8.5 OpenSSL AES-WRAP-PAD Buffer Overwrite (pre 8.4.23)
CVE-2026-14355 Published on July 3, 2026
ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
Vulnerability Analysis
CVE-2026-14355 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Products Associated with CVE-2026-14355
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
php:- Version 8.2.0 and below 8.2.32 is affected.
- Version 8.3.0 and below 8.3.32 is affected.
- Version 8.4.0 and below 8.4.23 is affected.
- Version 8.5.0 and below 8.5.8 is affected.