DEBIAN-CVE-2025-14178

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-14178
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14178.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-14178
Upstream
Downstream
Published
2025-12-27T20:15:40.570Z
Modified
2026-01-24T11:18:32.226047Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
[none]
Details

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in arraymerge() when the total element count of packed arrays exceeds 32-bit limits or HTMAXSIZE, due to an integer overflow in the precomputation of element counts using zendhashnumelements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

References

Affected packages

Debian:11 / php7.4

Package

Name
php7.4
Purl
pkg:deb/debian/php7.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.4.33-1+deb11u10

Affected versions

7.*

7.4.21-1+deb11u1
7.4.25-1+deb11u1
7.4.26-1
7.4.28-1+deb11u1
7.4.30-1+deb11u1
7.4.33-1+deb11u1
7.4.33-1+deb11u3
7.4.33-1+deb11u4
7.4.33-1+deb11u5
7.4.33-1+deb11u6
7.4.33-1+deb11u7
7.4.33-1+deb11u8
7.4.33-1+deb11u9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14178.json"

Debian:12 / php8.2

Package

Name
php8.2
Purl
pkg:deb/debian/php8.2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.2.5-2
8.2.7-1~deb12u1
8.2.7-1
8.2.7-1.1
8.2.7-1.2
8.2.10-1
8.2.10-2
8.2.12-1
8.2.16-1
8.2.16-2
8.2.17-1
8.2.18-1~deb12u1
8.2.18-1
8.2.20-1~deb12u1
8.2.20-2
8.2.20-3
8.2.21-1
8.2.23-1
8.2.24-1~deb12u1
8.2.24-1
8.2.26-1~deb12u1
8.2.26-4
8.2.27-1
8.2.28-1~deb12u1
8.2.29-1~deb12u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14178.json"

Debian:13 / php8.4

Package

Name
php8.4
Purl
pkg:deb/debian/php8.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.4.16-1~deb13u1

Affected versions

8.*

8.4.11-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14178.json"

Debian:14 / php8.4

Package

Name
php8.4
Purl
pkg:deb/debian/php8.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.4.16-1

Affected versions

8.*

8.4.11-1
8.4.16-1~deb13u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14178.json"