HTTP Stream Wrapper Flaw Causes Service Crashes
A high severity vulnerability in PHP’s HTTP stream wrapper, tracked as CVE-2026-12184, allows remote attackers to trigger denial-of-service conditions by exploiting improper error handling during TLS connection failures. When a secure connection attempt fails, the internal stream object is closed but the cleanup routine continues executing as if the stream remains valid. This leads to unsafe operations on a null reference, which can crash the PHP FastCGI Process Manager (PHP-FPM) and terminate all worker processes. The vulnerability does not require specially crafted input, making it straightforward to reproduce by sending requests that fail TLS validation, such as using an expired certificate. Affected versions include PHP releases before 8.3.32, 8.4.21, and 8.5.6.
Memory Corruption in OpenSSL Extension
A second vulnerability, CVE-2026-14355, affects PHP’s OpenSSL extension and stems from incorrect buffer size calculations when using the AES-WRAP-PAD encryption algorithm. The output buffer is allocated based solely on plaintext length without accounting for padding or metadata defined in RFC 5649, causing OpenSSL to write beyond the allocated memory boundary. This corrupts the Zend memory manager heap and can lead to application crashes or degraded stability. Although exploiting this flaw requires the use of specific encryption algorithms, it does not require authentication, increasing risk in exposed applications. Patched versions are available for PHP branches before 8.2.32, 8.3.32, 8.4.23, and 8.5.8.
Source: Cyber Security News
