Two newly disclosed security vulnerabilities in PHP could allow attackers to crash websites and web applications. The issues affect multiple supported PHP versions, and website owners are advised to install the latest security updates as soon as possible.
The vulnerabilities are tracked as CVE-2026-12184 and CVE-2026-14355. Both have been disclosed through official PHP security advisories and could lead to denial-of-service (DoS) attacks by crashing PHP-based services.
The more serious vulnerability, CVE-2026-12184, affects PHP’s HTTP stream wrapper. The flaw occurs when PHP tries to establish a secure HTTPS connection. If the TLS handshake fails, PHP closes the connection but continues to run cleanup code that assumes the connection is still active.
This results in unsafe memory operations that can crash the PHP process.
According to security researchers, an attacker can trigger the issue by causing TLS validation to fail, such as by presenting an expired certificate or one with a mismatched hostname. The attack does not require specially crafted code, making it easier to exploit in real-world scenarios.
If successfully exploited, the vulnerability can crash PHP FastCGI Process Manager (PHP-FPM), terminate all worker processes, and make an entire website or web application unavailable.
The vulnerability affects the following PHP versions:
- PHP versions earlier than 8.3.32
- PHP versions earlier than 8.4.21
- PHP versions earlier than 8.5.6
PHP has already released security updates to fix the issue.
The second vulnerability, CVE-2026-14355, affects PHP’s OpenSSL extension. It is related to the AES-WRAP-PAD encryption algorithm, which is not commonly used but is still available in some applications.
The flaw is caused by incorrect memory allocation during encryption. PHP allocates a buffer that is too small for the encrypted output, allowing OpenSSL to write beyond the allocated memory.
This causes memory corruption, which may not immediately crash an application but can lead to unexpected failures, reduced stability, or denial-of-service conditions later.
The vulnerability affects:
- PHP versions earlier than 8.2.32
- PHP versions earlier than 8.3.32
- PHP versions earlier than 8.4.23
- PHP versions earlier than 8.5.8
Updated PHP releases fix the buffer allocation issue and prevent memory corruption.
PHP powers millions of websites and web applications around the world, making security updates like these important. Although the second vulnerability requires specific conditions to exploit, both flaws highlight how memory management and error handling bugs can affect the stability of web services.
Website owners, developers, hosting providers, and system administrators running PHP-based applications should update to the latest patched versions as soon as possible. Delaying these updates could leave websites vulnerable to service disruptions and potential attacks.






