Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
Key Takeaways Two critical vulnerabilities (CVE-2026-12184 and CVE-2026-14355) have been identified in PHP. These flaws can lead to denial-of-service (DoS) conditions and memory corruption in web...
Key Takeaways
- Two critical vulnerabilities (CVE-2026-12184 and CVE-2026-14355) have been identified in PHP.
- These flaws can lead to denial-of-service (DoS) conditions and memory corruption in web applications.
- The vulnerabilities impact multiple active branches of the PHP runtime, including versions prior to 8.3.32, 8.4.21, 8.5.6, and 8.2.32, 8.4.23, 8.5.8.
- Patches are available, and immediate upgrades are strongly recommended for all affected deployments.
Recent disclosures have revealed two significant security flaws in PHP, the widely utilized scripting language for web development. These vulnerabilities could allow malicious actors to instigate denial-of-service attacks or corrupt memory, threatening the stability and availability of countless web applications globally.
Table Of Content
Critical DoS Vulnerability in PHP’s HTTP Stream Wrapper
The more critical of the two issues, tracked as CVE-2026-12184, resides within PHP’s HTTP stream wrapper implementation. This high-impact vulnerability specifically manifests during the handling of HTTP connections when a Transport Layer Security (TLS) setup fails.
The core problem arises when PHP attempts to establish a secure connection and the TLS initialization process encounters an error. While the internal stream object is correctly closed and reset in this scenario, the subsequent cleanup routine proceeds as if the stream remains valid. This leads to dangerous operations being performed on a null reference.
Attackers can remotely trigger this condition by intentionally causing TLS validation failures, for example, by presenting an expired certificate or a certificate with a mismatched peer name. Security researchers have demonstrated that exploitation of this flaw does not necessitate complex, specially crafted code, making it readily reproducible in real-world environments. Successful exploitation of CVE-2026-12184 can lead to the crash of the PHP FastCGI Process Manager (PHP-FPM), terminating all associated worker processes and resulting in a complete service outage for the affected web application.
This vulnerability has received a CVSS v4 score indicative of a high availability impact, as it permits unauthenticated attackers to severely disrupt networked web services. The affected PHP versions include all releases prior to 8.3.32, 8.4.21, and 8.5.6. Users are strongly urged to upgrade to the patched versions, which incorporate corrected cleanup logic to prevent this issue.
Memory Corruption in OpenSSL Extension
A separate advisory details CVE-2026-14355, a memory corruption vulnerability found within PHP’s OpenSSL extension. This flaw is specifically tied to the use of the AES-WRAP-PAD encryption algorithm, an algorithm that, while not extensively adopted, is still present in certain implementations.
The vulnerability stems from an incorrect calculation of buffer sizes during encryption operations. According to the advisory, the output buffer is allocated based solely on the plaintext length, failing to account for necessary padding or the additional metadata specified in RFC 5649. This miscalculation results in an undersized memory allocation, causing OpenSSL to write beyond the designated buffer boundary during the encryption process.
This out-of-bounds write leads to corruption of the Zend memory manager heap. While this might not immediately crash the application, it can trigger failures later when corrupted memory structures are accessed, ultimately causing application crashes or significant stability degradation. In essence, this flaw can also lead to a denial-of-service condition.
Despite the attack complexity being rated as high due to the requirement for specific encryption algorithms, the absence of authentication needed for exploitation elevates the potential risk for exposed applications. This issue affects PHP versions earlier than 8.2.32, 8.3.32, 8.4.23, and 8.5.8. Patches have been released to rectify the buffer sizing errors and prevent these memory overwrite conditions.
Both CVE-2026-12184 and CVE-2026-14355 underscore the critical importance of meticulous error handling and robust memory management practices within the foundational components of widely used programming languages. Organizations deploying PHP-based services must prioritize patching these vulnerabilities and conduct thorough reviews of their encryption function usage and external connection configurations to minimize exposure.
What You Should Do
- Immediately update all PHP installations to the latest patched versions: at least 8.3.32, 8.4.21, 8.5.6 for CVE-2026-12184, and 8.2.32, 8.3.32, 8.4.23, 8.5.8 for CVE-2026-14355.
- Review web server configurations to ensure proper TLS certificate validation and error handling are in place.
- Minimize exposure to external connections where possible, especially for systems that interact with untrusted or partially trusted networks.
- Regularly monitor PHP application logs for unusual crashes or instability that could indicate exploitation attempts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.