Multiple PHP Vulnerabilities Enable DoS and Memory Corruption Attacks


PHP has released security updates for multiple vulnerabilities that can trigger denial-of-service conditions and memory corruption in affected web applications. The two tracked issues are CVE-2026-12184, a TLS setup failure bug in PHP streams, and CVE-2026-14355, a memory corruption flaw in the OpenSSL extension.

The PHP project announced new security releases on July 2, 2026, including PHP 8.5.8, 8.4.23, 8.3.32, and 8.2.32. The fixes matter for administrators because PHP is widely used behind web applications, APIs, CMS platforms, and internal business systems.

The more severe issue is documented in the PHP advisory for CVE-2026-12184. It can crash the entire PHP-FPM process and its workers when TLS setup fails during an HTTP stream connection.

What PHP vulnerabilities were fixed?

CVE-2026-12184 affects PHP’s HTTP stream wrapper implementation. The bug appears when PHP tries to create a secure connection to a remote server and TLS setup fails, such as during peer-name validation failure or when a certificate is expired.

CVE-2026-14355 affects the PHP OpenSSL extension when the AES-WRAP-PAD algorithm is used with openssl_encrypt. The flaw comes from an undersized output buffer during an AES key-wrap-with-padding operation.

The PHP 8 changelog lists CVE-2026-12184 under Streams and CVE-2026-14355 under OpenSSL. That makes patching more than a routine maintenance update for servers that process external URLs or use OpenSSL encryption functions.

CVEComponentIssue typeMain impactSeverity
CVE-2026-12184HTTP stream wrapperTLS setup failure handlingRemote denial of service against PHP-FPMHigh
CVE-2026-14355OpenSSL extensionHeap-based memory corruptionApplication abort or denial of serviceModerate to medium

CVE-2026-12184 can bring down PHP-FPM

CVE-2026-12184 occurs in php_stream_url_wrap_http_ex. When TLS crypto setup fails, the stream is closed and reset to NULL. A later cleanup routine then still tries to reset the peer name as if the stream were valid.

The CVE-2026-12184 advisory says the condition can be triggered through a failed peer-name validation or an expired certificate. It also says the bug can cause a remotely triggered denial of service by bringing down the entire PHP-FPM process with all workers.

This matters for real web services because PHP applications often fetch remote HTTPS resources. If an application accepts or builds external URLs, a hostile or misconfigured remote TLS endpoint could become part of the crash path.

  • The attack vector is network-based.
  • No privileges are required.
  • No user interaction is required.
  • The attack requires certain deployment and execution conditions.
  • The main impact is availability loss.

Affected versions for the TLS stream flaw

The affected-version range for CVE-2026-12184 is narrower than the second vulnerability. The PHP advisory lists affected versions before PHP 8.3.32, 8.4.21, and 8.5.6.

Debian’s CVE-2026-12184 tracker notes that the issue only affects PHP 8.3 and later in its packaging context. That is important for distribution users because fixed package versions can differ from upstream version numbers.

Organizations should still rely on their own vendor packages when PHP comes from a Linux distribution. Vendor backports may fix a vulnerability without changing the upstream version number in the way administrators expect.

BranchCVE-2026-12184 fixed inAction
PHP 8.38.3.32Upgrade to 8.3.32 or a vendor-patched build
PHP 8.48.4.21Upgrade to 8.4.21 or later
PHP 8.58.5.6Upgrade to 8.5.6 or later

CVE-2026-14355 affects OpenSSL AES-WRAP-PAD handling

CVE-2026-14355 is a separate memory corruption issue in the PHP OpenSSL extension. It affects applications that use openssl_encrypt with the AES-WRAP-PAD algorithm.

The PHP advisory for CVE-2026-14355 explains that the output buffer is sized from the plaintext length, but AES key wrap with padding requires additional space. Because the buffer is too small, OpenSSL can write beyond the allocated memory.

The result is corruption of Zend memory manager heap metadata. The crash may appear later when the allocator detects corrupted bookkeeping, rather than exactly when the overwrite happens.

Why the OpenSSL flaw is lower severity

CVE-2026-14355 is serious, but its practical reach is narrower because it depends on use of a rarely used encryption algorithm. Attackers must find an application path that exposes AES-WRAP-PAD encryption through user-controlled or attacker-influenced input.

The NVD record for CVE-2026-14355 describes the bug as a heap-based buffer overflow affecting PHP 8.2 through 8.5 versions before the fixed releases. NVD also lists the CVSS 3.1 vector supplied by the PHP Group with high attack complexity and no user interaction.

In exposed applications, the most likely impact is instability or application abort. The risk increases if a web application lets remote users influence encryption input, key wrapping operations, or algorithm selection.

BranchCVE-2026-14355 fixed inAction
PHP 8.28.2.32Upgrade to 8.2.32 or a vendor-patched build
PHP 8.38.3.32Upgrade to 8.3.32 or later
PHP 8.48.4.23Upgrade to 8.4.23 or later
PHP 8.58.5.8Upgrade to 8.5.8 or later

PHP security releases are already available

The PHP release page shows the July 2, 2026 security releases for PHP 8.5.8, 8.4.23, 8.3.32, and 8.2.32. PHP says users of those branches are encouraged to upgrade to the new versions.

The PHP changelog confirms that the OpenSSL memory corruption fix landed in 8.5.8 and that the TLS stream crash fix appeared in the relevant earlier branch releases. Administrators should check the exact branch they run before choosing an update target.

For hosted applications, the fix path may depend on the hosting provider, container image, operating system package, or custom build pipeline. Teams should verify the runtime version, not only the PHP version declared in application dependencies.

Who is most exposed?

The TLS stream flaw is most relevant for applications that make outbound HTTPS requests from PHP. Examples include API integrations, webhook fetchers, metadata fetchers, feed readers, proxy-style services, import tools, and plugins that retrieve remote files.

The OpenSSL flaw is more specialized. It affects applications that use AES-WRAP-PAD through PHP’s OpenSSL extension, especially if attacker-controlled input can reach encryption operations.

The NVD vulnerability record says the AES-WRAP-PAD bug can corrupt heap metadata and trigger an application abort. That makes availability the clearest operational concern, even if confidentiality and integrity impacts are listed at lower levels.

  • Web apps that fetch remote HTTPS URLs from user or partner input
  • PHP-FPM deployments where one crash affects many workers
  • CMS plugins or importers that retrieve external resources
  • API gateways or middleware written in PHP
  • Applications using openssl_encrypt with AES-WRAP-PAD
  • Containers built from older PHP base images

What administrators should do now

Administrators should first inventory PHP versions across servers, containers, CI images, and managed hosting accounts. Many environments run several PHP branches at once, especially when legacy applications remain on older runtimes.

Debian’s PHP tracker entry shows why distribution status matters. Fixed package versions can differ by release, so administrators should check vendor advisories before assuming a system is vulnerable or safe based only on the upstream version string.

After patching, teams should restart PHP-FPM pools, web servers, and application containers so the fixed runtime is actually loaded. Leaving old workers alive can keep vulnerable code running even after packages are updated.

  1. Identify every PHP runtime in production and staging.
  2. Check whether the runtime is affected by CVE-2026-12184 or CVE-2026-14355.
  3. Upgrade through official PHP builds, OS packages, or trusted container images.
  4. Restart PHP-FPM, Apache, Nginx, and application containers where needed.
  5. Review application code that fetches external HTTPS resources.
  6. Review any use of openssl_encrypt with AES-WRAP-PAD.
  7. Monitor error logs for crashes, segmentation faults, or Zend heap corruption messages.

Why PHP-FPM crashes can become production outages

PHP-FPM commonly runs pools of worker processes behind Nginx or Apache. If a vulnerability crashes the entire FPM process and workers, the web server may remain online while PHP-backed pages begin returning errors.

That makes service monitoring important. A simple TCP check against the web server may not detect broken PHP execution if static files still load but application routes fail.

Teams should monitor HTTP application health, PHP-FPM process status, error rates, and pool restarts. These signals help distinguish a normal upstream outage from runtime-level crashes tied to vulnerable behavior.

Temporary risk reduction before full patching

Patching is the primary fix. Temporary controls can reduce exposure, but they should not replace runtime updates.

For CVE-2026-12184, teams can review where applications fetch remote HTTPS URLs and restrict user-controlled destinations. For CVE-2026-14355, teams can remove or block AES-WRAP-PAD use where it is not required.

Developers should also make outbound request handling more defensive. Applications should validate URLs, restrict allowed hosts where possible, set timeouts, and avoid letting untrusted users decide arbitrary remote endpoints.

ControlRisk reduced
Patch PHP to fixed versionsRemoves the vulnerable runtime behavior
Restrict outbound HTTPS fetchesLimits exposure to malicious or broken TLS endpoints
Review OpenSSL algorithm usageFinds risky AES-WRAP-PAD code paths
Restart PHP-FPM after updatesEnsures fixed code is loaded by active workers
Monitor PHP crash logsDetects possible exploitation or instability

Bottom line

The latest PHP security updates address two different runtime risks. CVE-2026-12184 can remotely crash PHP-FPM when TLS setup fails in the HTTP stream wrapper, while CVE-2026-14355 can corrupt memory when AES-WRAP-PAD is used through the OpenSSL extension.

Organizations should update PHP quickly, verify vendor package status, restart runtime services, and review application paths that fetch remote HTTPS resources or use OpenSSL encryption functions. The fastest way to reduce risk is to move each active branch to the fixed release level or a vendor-patched equivalent.

FAQ

What are CVE-2026-12184 and CVE-2026-14355?

CVE-2026-12184 is a PHP HTTP stream wrapper flaw that can crash PHP-FPM when TLS setup fails. CVE-2026-14355 is a PHP OpenSSL extension memory corruption flaw involving the AES-WRAP-PAD algorithm.

Which PHP versions fix CVE-2026-12184?

CVE-2026-12184 is fixed in PHP 8.3.32, PHP 8.4.21, and PHP 8.5.6. Administrators should also check their Linux distribution advisories because vendors may backport fixes into different package versions.

Which PHP versions fix CVE-2026-14355?

CVE-2026-14355 is fixed in PHP 8.2.32, PHP 8.3.32, PHP 8.4.23, and PHP 8.5.8. The issue affects the OpenSSL extension’s AES-WRAP-PAD handling.

Can these PHP vulnerabilities lead to remote code execution?

The available advisories describe denial-of-service and memory corruption impacts, not confirmed remote code execution. CVE-2026-12184 can bring down PHP-FPM, while CVE-2026-14355 can corrupt heap metadata and abort the application.

What should administrators do after updating PHP?

Administrators should restart PHP-FPM, web servers, and containers so the patched runtime is active. They should also verify the running PHP version, monitor crash logs, and review code paths that fetch remote HTTPS URLs or use openssl_encrypt with AES-WRAP-PAD.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages