CVE-2026-14355
Publication date 3 July 2026
Last updated 9 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php5 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| php7.0 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Needs evaluation
|
|
| php7.2 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| php7.4 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| php8.1 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| php8.3 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| php8.4 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| php8.5 | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
Severity score breakdown
CVSS version: CVSS v3.0
Base score
5.6 · Medium
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L