Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
PHP Vulnerabilities Pose DoS and Memory Risks

PHP Vulnerabilities Pose DoS and Memory Risks

Posted on July 6, 2026 By CWS

Recent disclosures have brought to light multiple PHP vulnerabilities that could significantly affect web applications by inducing denial-of-service (DoS) conditions and causing memory corruption. These vulnerabilities, identified as CVE-2026-12184 and CVE-2026-14355, have been made public through official PHP security advisories, impacting various active PHP runtime branches.

Key PHP Security Challenges

The more critical of the two, CVE-2026-12184, presents a high-risk vulnerability within PHP’s HTTP stream wrapper. This flaw is associated with the handling of HTTP connections when Transport Layer Security (TLS) setup fails. When PHP engages in establishing a secure connection and the TLS initialization is unsuccessful, the internal stream object is prematurely closed and reset, yet subsequent code execution continues under false assumptions about stream validity, risking operations on null references.

This vulnerability can be exploited remotely by inducing TLS validation failures, such as using expired certificates or mismatched peer names. Security experts have shown that exploiting this flaw does not demand specially crafted code, making the risk more tangible in practical scenarios. If exploited, this can result in the PHP FastCGI Process Manager (PHP-FPM) crashing, ceasing all worker processes, and leading to complete service outages.

Impact and Recommendations

The CVE-2026-12184 vulnerability is assigned a high availability impact CVSS v4 score due to its potential to allow unauthenticated attackers to disrupt networked web services. The affected PHP versions include those before 8.3.32, 8.4.21, and 8.5.6. Urgent updates to patched versions correcting the flawed cleanup logic are strongly advised.

Separately, CVE-2026-14355 describes a memory corruption issue within PHP’s OpenSSL extension. This vulnerability is linked to the AES-WRAP-PAD encryption algorithm, which, although not commonly used, still exists in some implementations. The flaw arises from incorrect buffer size calculations during encryption, which results in OpenSSL writing beyond the buffer boundary, potentially corrupting the Zend memory manager heap.

Future Outlook and Mitigations

The memory corruption flaw affects PHP versions before 8.2.32, 8.3.32, 8.4.23, and 8.5.8. Patches have been issued to address buffer sizing and prevent memory overflows. Despite high attack complexity due to specific algorithm requirements, the absence of authentication steps increases the risk in exposed applications.

Both vulnerabilities underscore the dangers of improper error handling and memory management within core components of prominent programming languages. Organizations utilizing PHP-based services should promptly apply these patches and assess their encryption functions and external connectivity to mitigate exposure risks.

Organizations are encouraged to enhance their Security Operations Center (SOC) by integrating tools like ANY.RUN to accelerate threat detection and facilitate rapid investigations.

Cyber Security News Tags:application security, buffer overflow, CVE-2026-12184, CVE-2026-14355, DoS attacks, Encryption, memory corruption, OpenSSL, patch updates, PHP, Security, TLS, Vulnerabilities, web security

Post navigation

Previous Post: AI Exploited in Prompt Injection Attacks for Crypto Scams
Next Post: Key Features to Evaluate AI SOC Platforms in 2026

Related Posts

SmartApeSG Campaign Infects Windows with Remote Access Malware SmartApeSG Campaign Infects Windows with Remote Access Malware Cyber Security News
Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus Cyber Security News
Top 10 Best Attack Surface Management (ASM) Software Solutions In 2025 Top 10 Best Attack Surface Management (ASM) Software Solutions In 2025 Cyber Security News
Anthropic Outage Disrupts Claude Models Anthropic Outage Disrupts Claude Models Cyber Security News
GitLab Security Flaws Demand Immediate Patching GitLab Security Flaws Demand Immediate Patching Cyber Security News
Vim Vulnerability Allows OS Command Execution Vim Vulnerability Allows OS Command Execution Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Linux Bad Epoll Vulnerability Exposes Critical Root Access Risk
  • Chinese Hackers Use Fake Tax Tools in India to Deploy DcRAT
  • ModSecurity Flaws Allow Firewall Rule Bypass
  • North Korean Supply Chain Cyber Attacks on Open Source Developers
  • Cybersecurity Weekly: Proxy Networks and AI Threats

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Linux Bad Epoll Vulnerability Exposes Critical Root Access Risk
  • Chinese Hackers Use Fake Tax Tools in India to Deploy DcRAT
  • ModSecurity Flaws Allow Firewall Rule Bypass
  • North Korean Supply Chain Cyber Attacks on Open Source Developers
  • Cybersecurity Weekly: Proxy Networks and AI Threats

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark