{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-27T19:27:41Z",
  "bugzilla" : {
    "description" : "php: heap-based buffer overflow in array_merge()",
    "id" : "2425625",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425625"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.", "A flaw was found in PHP. A heap-based buffer overflow occurs in the array_merge function when the total element count of packed arrays exceeds the 32-bit limit or the internal HT_MAX_SIZE due to an integer overflow in the precomputation of element counts using the zend_hash_num_elements function, causing a process crash and potentially memory corruption." ],
  "statement" : "To exploit this issue, an attacker must be able to pass arrays to array_merge() containing a very large number of elements, specifically the total element count must exceed the 32-bit integer limit or the internal HT_MAX_SIZE constant. Creating such a massive array often triggers the memory limit of PHP and the system, causing an out-of-memory condition before the buffer overflow can be triggered, increasing the complexity of exploitation.\nAlso, default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and memory protections significantly increase the difficult of achieving arbitrary code execution, limiting the impact of this vulnerability.\nDue to these reasons, this flaw has been rated with a moderate severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1628",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "php-0:8.3.29-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1185",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "php-0:8.3.19-1.el10_0.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-01-27T00:00:00Z",
    "advisory" : "RHSA-2026:1412",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "php:8.2-8100020260106091451.f7998665"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2470",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "php:7.4-8100020260119075152.f7998665"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4507",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "php:7.4-8040020260303010445.d7c09045"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4507",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "php:7.4-8040020260303010445.d7c09045"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4517",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "php:7.4-8060020260303005945.5caa48ff"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4517",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "php:7.4-8060020260303005945.5caa48ff"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4517",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "php:7.4-8060020260303005945.5caa48ff"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4514",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "php:7.4-8080020260303005237.0b4eb31d"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4514",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "php:7.4-8080020260303005237.0b4eb31d"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-27T00:00:00Z",
    "advisory" : "RHSA-2026:1409",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.2-9070020260107073439.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-27T00:00:00Z",
    "advisory" : "RHSA-2026:1429",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.3-9070020260108073701.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-17T00:00:00Z",
    "advisory" : "RHSA-2026:2799",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php-0:8.0.30-5.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-03-10T00:00:00Z",
    "advisory" : "RHSA-2026:4212",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "php-0:8.0.13-2.el9_0.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4266",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "php-0:8.0.30-1.el9_2.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1169",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "php:8.2-9040020260116191026.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4077",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "php-0:8.0.30-1.el9_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1187",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "php:8.2-9060020260116185805.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1190",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "php:8.3-9060020260116180534.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4086",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "php-0:8.0.30-3.el9_6.1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7614",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "php-main-8.5.5-1.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "php8.4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Not affected",
    "package_name" : "devspaces/code-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Not affected",
    "package_name" : "devspaces-tech-preview/idea-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-14178\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14178\nhttps://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2" ],
  "name" : "CVE-2025-14178",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}