In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 03 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Php
Php php |
|
| Vendors & Products |
Php
Php php |
Fri, 03 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort. | |
| Title | ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD | |
| Weaknesses | CWE-122 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: php
Published:
Updated: 2026-07-03T20:59:02.604Z
Reserved: 2026-07-01T17:52:41.706Z
Link: CVE-2026-14355
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-03T22:30:06Z
Weaknesses