CVE-2026-14355

Severity CVSS v4.0:
Pending analysis
Type:
CWE-122 Heap-based Buffer Overflow
Publication date:
03/07/2026
Last modified:
04/07/2026

Description

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.