CVE-2025-14178

Description

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

Read the notes from the security team

• How can I get the fixes?
• What do statuses mean?

Notes

References

• MITRE
• NVD
• Launchpad
• Debian

Other references

• https://www.cve.org/CVERecord?id=CVE-2025-14178
• https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2
• https://github.com/php/php-src/commit/8b801151bd54b36aae4593ed6cfc096e8122b415 (php-8.4.16)