Multiple PHP Vulnerabilities Enable DoS and Memory Corruption Attacks
PHP has released security updates for multiple vulnerabilities that can trigger denial-of-service conditions and memory corruption in affected web applications. The two tracked issues are CVE-2026-12184, a TLS setup failure bug in PHP streams, and CVE-2026-14355, a memory corruption flaw in the OpenSSL extension.
The PHP project announced new security releases on July 2, 2026, including PHP 8.5.8, 8.4.23, 8.3.32, and 8.2.32. The fixes matter for administrators because PHP is widely used behind web applications, APIs, CMS platforms, and internal business systems.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The more severe issue is documented in the PHP advisory for CVE-2026-12184. It can crash the entire PHP-FPM process and its workers when TLS setup fails during an HTTP stream connection.
What PHP vulnerabilities were fixed?
CVE-2026-12184 affects PHP’s HTTP stream wrapper implementation. The bug appears when PHP tries to create a secure connection to a remote server and TLS setup fails, such as during peer-name validation failure or when a certificate is expired.
CVE-2026-14355 affects the PHP OpenSSL extension when the AES-WRAP-PAD algorithm is used with openssl_encrypt. The flaw comes from an undersized output buffer during an AES key-wrap-with-padding operation.
The PHP 8 changelog lists CVE-2026-12184 under Streams and CVE-2026-14355 under OpenSSL. That makes patching more than a routine maintenance update for servers that process external URLs or use OpenSSL encryption functions.
| CVE | Component | Issue type | Main impact | Severity |
|---|---|---|---|---|
| CVE-2026-12184 | HTTP stream wrapper | TLS setup failure handling | Remote denial of service against PHP-FPM | High |
| CVE-2026-14355 | OpenSSL extension | Heap-based memory corruption | Application abort or denial of service | Moderate to medium |
CVE-2026-12184 can bring down PHP-FPM
CVE-2026-12184 occurs in php_stream_url_wrap_http_ex. When TLS crypto setup fails, the stream is closed and reset to NULL. A later cleanup routine then still tries to reset the peer name as if the stream were valid.
The CVE-2026-12184 advisory says the condition can be triggered through a failed peer-name validation or an expired certificate. It also says the bug can cause a remotely triggered denial of service by bringing down the entire PHP-FPM process with all workers.
This matters for real web services because PHP applications often fetch remote HTTPS resources. If an application accepts or builds external URLs, a hostile or misconfigured remote TLS endpoint could become part of the crash path.
- The attack vector is network-based.
- No privileges are required.
- No user interaction is required.
- The attack requires certain deployment and execution conditions.
- The main impact is availability loss.
Affected versions for the TLS stream flaw
The affected-version range for CVE-2026-12184 is narrower than the second vulnerability. The PHP advisory lists affected versions before PHP 8.3.32, 8.4.21, and 8.5.6.
Debian’s CVE-2026-12184 tracker notes that the issue only affects PHP 8.3 and later in its packaging context. That is important for distribution users because fixed package versions can differ from upstream version numbers.
Organizations should still rely on their own vendor packages when PHP comes from a Linux distribution. Vendor backports may fix a vulnerability without changing the upstream version number in the way administrators expect.
| Branch | CVE-2026-12184 fixed in | Action |
|---|---|---|
| PHP 8.3 | 8.3.32 | Upgrade to 8.3.32 or a vendor-patched build |
| PHP 8.4 | 8.4.21 | Upgrade to 8.4.21 or later |
| PHP 8.5 | 8.5.6 | Upgrade to 8.5.6 or later |
CVE-2026-14355 affects OpenSSL AES-WRAP-PAD handling
CVE-2026-14355 is a separate memory corruption issue in the PHP OpenSSL extension. It affects applications that use openssl_encrypt with the AES-WRAP-PAD algorithm.
The PHP advisory for CVE-2026-14355 explains that the output buffer is sized from the plaintext length, but AES key wrap with padding requires additional space. Because the buffer is too small, OpenSSL can write beyond the allocated memory.
The result is corruption of Zend memory manager heap metadata. The crash may appear later when the allocator detects corrupted bookkeeping, rather than exactly when the overwrite happens.
Why the OpenSSL flaw is lower severity
CVE-2026-14355 is serious, but its practical reach is narrower because it depends on use of a rarely used encryption algorithm. Attackers must find an application path that exposes AES-WRAP-PAD encryption through user-controlled or attacker-influenced input.
The NVD record for CVE-2026-14355 describes the bug as a heap-based buffer overflow affecting PHP 8.2 through 8.5 versions before the fixed releases. NVD also lists the CVSS 3.1 vector supplied by the PHP Group with high attack complexity and no user interaction.
In exposed applications, the most likely impact is instability or application abort. The risk increases if a web application lets remote users influence encryption input, key wrapping operations, or algorithm selection.
| Branch | CVE-2026-14355 fixed in | Action |
|---|---|---|
| PHP 8.2 | 8.2.32 | Upgrade to 8.2.32 or a vendor-patched build |
| PHP 8.3 | 8.3.32 | Upgrade to 8.3.32 or later |
| PHP 8.4 | 8.4.23 | Upgrade to 8.4.23 or later |
| PHP 8.5 | 8.5.8 | Upgrade to 8.5.8 or later |
PHP security releases are already available
The PHP release page shows the July 2, 2026 security releases for PHP 8.5.8, 8.4.23, 8.3.32, and 8.2.32. PHP says users of those branches are encouraged to upgrade to the new versions.
The PHP changelog confirms that the OpenSSL memory corruption fix landed in 8.5.8 and that the TLS stream crash fix appeared in the relevant earlier branch releases. Administrators should check the exact branch they run before choosing an update target.
For hosted applications, the fix path may depend on the hosting provider, container image, operating system package, or custom build pipeline. Teams should verify the runtime version, not only the PHP version declared in application dependencies.
Who is most exposed?
The TLS stream flaw is most relevant for applications that make outbound HTTPS requests from PHP. Examples include API integrations, webhook fetchers, metadata fetchers, feed readers, proxy-style services, import tools, and plugins that retrieve remote files.
The OpenSSL flaw is more specialized. It affects applications that use AES-WRAP-PAD through PHP’s OpenSSL extension, especially if attacker-controlled input can reach encryption operations.
The NVD vulnerability record says the AES-WRAP-PAD bug can corrupt heap metadata and trigger an application abort. That makes availability the clearest operational concern, even if confidentiality and integrity impacts are listed at lower levels.
- Web apps that fetch remote HTTPS URLs from user or partner input
- PHP-FPM deployments where one crash affects many workers
- CMS plugins or importers that retrieve external resources
- API gateways or middleware written in PHP
- Applications using openssl_encrypt with AES-WRAP-PAD
- Containers built from older PHP base images
What administrators should do now
Administrators should first inventory PHP versions across servers, containers, CI images, and managed hosting accounts. Many environments run several PHP branches at once, especially when legacy applications remain on older runtimes.
Debian’s PHP tracker entry shows why distribution status matters. Fixed package versions can differ by release, so administrators should check vendor advisories before assuming a system is vulnerable or safe based only on the upstream version string.
After patching, teams should restart PHP-FPM pools, web servers, and application containers so the fixed runtime is actually loaded. Leaving old workers alive can keep vulnerable code running even after packages are updated.
- Identify every PHP runtime in production and staging.
- Check whether the runtime is affected by CVE-2026-12184 or CVE-2026-14355.
- Upgrade through official PHP builds, OS packages, or trusted container images.
- Restart PHP-FPM, Apache, Nginx, and application containers where needed.
- Review application code that fetches external HTTPS resources.
- Review any use of openssl_encrypt with AES-WRAP-PAD.
- Monitor error logs for crashes, segmentation faults, or Zend heap corruption messages.
Why PHP-FPM crashes can become production outages
PHP-FPM commonly runs pools of worker processes behind Nginx or Apache. If a vulnerability crashes the entire FPM process and workers, the web server may remain online while PHP-backed pages begin returning errors.
That makes service monitoring important. A simple TCP check against the web server may not detect broken PHP execution if static files still load but application routes fail.
Teams should monitor HTTP application health, PHP-FPM process status, error rates, and pool restarts. These signals help distinguish a normal upstream outage from runtime-level crashes tied to vulnerable behavior.
Temporary risk reduction before full patching
Patching is the primary fix. Temporary controls can reduce exposure, but they should not replace runtime updates.
For CVE-2026-12184, teams can review where applications fetch remote HTTPS URLs and restrict user-controlled destinations. For CVE-2026-14355, teams can remove or block AES-WRAP-PAD use where it is not required.
Developers should also make outbound request handling more defensive. Applications should validate URLs, restrict allowed hosts where possible, set timeouts, and avoid letting untrusted users decide arbitrary remote endpoints.
| Control | Risk reduced |
|---|---|
| Patch PHP to fixed versions | Removes the vulnerable runtime behavior |
| Restrict outbound HTTPS fetches | Limits exposure to malicious or broken TLS endpoints |
| Review OpenSSL algorithm usage | Finds risky AES-WRAP-PAD code paths |
| Restart PHP-FPM after updates | Ensures fixed code is loaded by active workers |
| Monitor PHP crash logs | Detects possible exploitation or instability |
Bottom line
The latest PHP security updates address two different runtime risks. CVE-2026-12184 can remotely crash PHP-FPM when TLS setup fails in the HTTP stream wrapper, while CVE-2026-14355 can corrupt memory when AES-WRAP-PAD is used through the OpenSSL extension.
Organizations should update PHP quickly, verify vendor package status, restart runtime services, and review application paths that fetch remote HTTPS resources or use OpenSSL encryption functions. The fastest way to reduce risk is to move each active branch to the fixed release level or a vendor-patched equivalent.
FAQ
CVE-2026-12184 is a PHP HTTP stream wrapper flaw that can crash PHP-FPM when TLS setup fails. CVE-2026-14355 is a PHP OpenSSL extension memory corruption flaw involving the AES-WRAP-PAD algorithm.
CVE-2026-12184 is fixed in PHP 8.3.32, PHP 8.4.21, and PHP 8.5.6. Administrators should also check their Linux distribution advisories because vendors may backport fixes into different package versions.
CVE-2026-14355 is fixed in PHP 8.2.32, PHP 8.3.32, PHP 8.4.23, and PHP 8.5.8. The issue affects the OpenSSL extension’s AES-WRAP-PAD handling.
The available advisories describe denial-of-service and memory corruption impacts, not confirmed remote code execution. CVE-2026-12184 can bring down PHP-FPM, while CVE-2026-14355 can corrupt heap metadata and abort the application.
Administrators should restart PHP-FPM, web servers, and containers so the patched runtime is active. They should also verify the running PHP version, monitor crash logs, and review code paths that fetch remote HTTPS URLs or use openssl_encrypt with AES-WRAP-PAD.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages