CVE-2025-14178 - Vulnerability Details - OpenCVE

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2

History

Sat, 27 Dec 2025 19:45:00 +0000

Type	Values Removed	Values Added
Description		In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Title		Heap buffer overflow in array_merge()
Weaknesses		CWE-190 CWE-787
References		https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}`

MITRE

Status: PUBLISHED

Assigner: php

Published: 2025-12-27T19:27:41.691Z

Updated: 2025-12-27T19:27:41.691Z

Reserved: 2025-12-06T06:25:31.535Z

Link: CVE-2025-14178

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-12-27T20:15:40.570

Modified: 2025-12-27T20:15:40.570

Link: CVE-2025-14178

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14178", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2025-12-06T06:25:31.535Z", "datePublished": "2025-12-27T19:27:41.691Z", "dateUpdated": "2025-12-27T19:27:41.691Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "php", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.34", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.30", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.29", "status": "affected", "version": "8.3.*", "versionType": "semver"}, {"lessThan": "8.4.16", "status": "affected", "version": "8.4.*", "versionType": "semver"}, {"lessThan": "8.5.1", "status": "affected", "version": "8.5.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Niels Dossche"}], "datePublic": "2025-12-18T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.</p>"}], "value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2025-12-27T19:27:41.691Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2"}], "source": {"advisory": "GHSA-h96m-rvf9-jgm2", "discovery": "INTERNAL"}, "title": "Heap buffer overflow in array_merge()", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}