CVE-2025-14178

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-14178
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14178.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-14178
Aliases
Downstream
Related
Published
2025-12-27T20:15:40.570Z
Modified
2026-01-11T04:01:33.085743Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
[none]
Details

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in arraymerge() when the total element count of packed arrays exceeds 32-bit limits or HTMAXSIZE, due to an integer overflow in the precomputation of element counts using zendhashnumelements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115
Fixed
94abff74457effe4432f0bd49f5230aa11155dff

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14178.json"