CVE-2025-14178

🗓️ 27 Dec 2025 19:27:41Reported by phpType

Heap buffer overflow in array_merge when packed arrays exceed 32-bit or HT_MAX_SIZE, causing memory corruption.

Reporter	Title	Published	Views	Family All 263
Tenable Nessus	Amazon Linux 2023 : php8.4, php8.4-bcmath, php8.4-cli (ALAS2023-2025-1352)	8 Jan 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : php8.3, php8.3-bcmath, php8.3-cli (ALAS2023-2025-1353)	8 Jan 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : php8.2, php8.2-bcmath, php8.2-cli (ALAS2023-2025-1354)	8 Jan 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : php8.1, php8.1-bcmath, php8.1-cli (ALAS2023-2025-1355)	8 Jan 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : php, --advisory ALAS2PHP8.1-2026-008 (ALASPHP8.1-2026-008)	22 Jan 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : php, --advisory ALAS2PHP8.2-2026-009 (ALASPHP8.2-2026-009)	22 Jan 202600:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0043: php:7.4 (ALINUX3-SA-2026:0043)	5 Mar 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : php:8.2 (ALSA-2026:1409)	2 Feb 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : php:8.2 (ALSA-2026:1412)	2 Feb 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : php:8.3 (ALSA-2026:1429)	30 Jan 202600:00	–	nessus

NVD

Node

php phpRange8.1.0–8.1.34

php phpRange8.2.0–8.2.30

php phpRange8.3.0–8.3.29

php phpRange8.4.0–8.4.16

php phpRange8.5.0–8.5.1

[
  {
    "defaultStatus": "affected",
    "packageName": "php",
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "8.1.34",
        "status": "affected",
        "version": "8.1.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.2.30",
        "status": "affected",
        "version": "8.2.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.3.29",
        "status": "affected",
        "version": "8.3.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.4.16",
        "status": "affected",
        "version": "8.4.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.5.1",
        "status": "affected",
        "version": "8.5.*",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2
lists	www.lists.debian.org/debian-lts-announce/2026/01/msg00019.html

24 Jan 2026 11:15Current

7.2High risk

Vulners AI Score7.2

CVSS 3.16.5 - 8.2

EPSS0.00019

SSVC