CyberSecurityNews

Multiple PHP Vulnerabilities Enables DoS and Memory Corruption Attacks


Multiple security vulnerabilities in PHP have been disclosed that could allow attackers to trigger denial-of-service (DoS) conditions and cause memory corruption, impacting widely deployed web applications.

The issues, tracked as CVE-2026-12184 and CVE-2026-14355, were published through official PHP security advisories and affect several active branches of the language runtime.

The most severe issue, CVE-2026-12184, is a high-impact vulnerability in PHP’s HTTP stream wrapper implementation. The flaw occurs in the function that handles HTTP connections when Transport Layer Security (TLS) setup fails.

Specifically, when PHP attempts to establish a secure connection and the TLS initialization fails, the internal stream object is closed and reset.

However, the code continues to execute a cleanup routine that assumes the stream is still valid, leading to unsafe operations on a null reference.

This condition can be triggered remotely by causing TLS validation failures, such as presenting an expired certificate or mismatched peer name.

Security researchers demonstrated that exploitation does not require specially crafted code, making it easier to reproduce in real-world scenarios.

When successfully triggered, the flaw can crash the PHP FastCGI Process Manager (PHP-FPM), terminate all worker processes, and cause a complete service outage.

Multiple PHP Vulnerabilities

The vulnerability has been assigned a CVSS v4 score reflecting a high availability impact, as it allows unauthenticated attackers to disrupt networked web services.

Affected versions include PHP releases before 8.3.32, 8.4.21, and 8.5.6. Users are strongly advised to upgrade to patched versions that have corrected the improper cleanup logic.

In a separate advisory, CVE-2026-14355 describes a memory corruption flaw in PHP’s OpenSSL extension.

The issue is linked to the use of the AES-WRAP-PAD encryption algorithm, which is not widely used but is still present in some implementations. The vulnerability stems from incorrect buffer size calculations during encryption operations.

According to the advisory, the output buffer is allocated based on the plaintext length, without accounting for the required padding or the additional metadata defined in RFC 5649.

As a result, the allocated memory is too small, and OpenSSL writes beyond the buffer boundary during encryption.

This leads to corruption of the Zend memory manager heap, which may not immediately crash the application but can trigger failures later when corrupted memory structures are accessed.

In affected environments, this flaw may result in application crashes or degraded stability, effectively enabling a denial-of-service condition.

Although the attack complexity is considered high due to the need for specific algorithms, the absence of authentication requirements increases the potential risk in exposed applications.

This issue affects PHP versions earlier than 8.2.32, 8.3.32, 8.4.23, and 8.5.8. Patches have been released to correct buffer sizing and prevent memory overwrite conditions.

Both vulnerabilities highlight the risks of improper error handling and memory management in the core components of widely used programming languages.

Organizations running PHP-based services should prioritize patching these issues and review their use of encryption functions and external connections to reduce exposure.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link