VYPR
patchPublished Jul 6, 2026· 1 source

Multiple PHP Vulnerabilities Enable DoS and Memory Corruption Attacks

Two critical vulnerabilities in PHP, CVE-2026-12184 and CVE-2026-14355, have been disclosed, posing risks of denial-of-service and memory corruption for web applications.

Multiple security vulnerabilities have been disclosed in the widely-used PHP scripting language, presenting significant risks to web applications and services. The vulnerabilities, tracked as CVE-2026-12184 and CVE-2026-14355, were detailed in recent PHP security advisories and affect several active branches of the language runtime. These issues could allow attackers to trigger denial-of-service (DoS) conditions and cause memory corruption, impacting the stability and integrity of affected systems.

The most critical of the two, CVE-2026-12184, resides within PHP's HTTP stream wrapper implementation. This flaw is triggered when a Transport Layer Security (TLS) setup fails during an HTTP connection. In such scenarios, PHP attempts to clean up the stream object, but due to an improper cleanup routine that assumes the stream is still valid, it performs unsafe operations on a null reference. Attackers can exploit this by remotely inducing TLS validation failures, such as by presenting an invalid certificate or a mismatched peer name. This vulnerability has been demonstrated to be relatively easy to reproduce, requiring no specially crafted code. Successful exploitation can lead to the crashing of the PHP FastCGI Process Manager (PHP-FPM), terminating all worker processes and resulting in a complete service outage.

This DoS vulnerability has been assigned a high CVSS v4 score, reflecting its significant impact on availability. It allows unauthenticated attackers to disrupt networked web services, affecting PHP versions prior to 8.3.32, 8.4.21, and 8.5.6. Users and administrators are strongly urged to upgrade to the patched versions of PHP to address the improper cleanup logic that leads to this crash.

In parallel, CVE-2026-14355 describes a memory corruption vulnerability within PHP's OpenSSL extension. This issue is specifically related to the use of the AES-WRAP-PAD encryption algorithm. The vulnerability arises from incorrect buffer size calculations during encryption operations. The advisory indicates that the output buffer is allocated based on the plaintext length, but it fails to account for the necessary padding and additional metadata required by RFC 5649. Consequently, the allocated memory is insufficient, leading to OpenSSL writing beyond the buffer's boundaries during the encryption process.

This out-of-bounds write corrupts the Zend memory manager heap. While this corruption may not immediately cause an application crash, it can lead to subsequent failures when the corrupted memory structures are accessed. In practice, this can result in application instability or outright crashes, effectively enabling a denial-of-service condition. Although the attack complexity is considered high due to the specific algorithm requirement, the absence of authentication requirements means that exposed applications are still at risk.

This memory corruption flaw affects PHP versions earlier than 8.2.32, 8.3.32, 8.4.23, and 8.5.8. Patches have been released to rectify the buffer sizing issues and prevent the memory overwrite condition. Both vulnerabilities underscore the critical importance of robust error handling and meticulous memory management within the core components of widely adopted programming languages like PHP.

Organizations relying on PHP-based services should prioritize the immediate patching of these vulnerabilities. Furthermore, a review of their configurations, particularly concerning encryption functions and external connection handling, is recommended to mitigate potential exposure and enhance overall security posture.

Synthesized by Vypr AI