Critical PHP Vulnerabilities Enable DoS Attacks on Web Applications

Critical PHP Vulnerabilities Enable DoS Attacks on Web Applications

First seen 6 Jul 2026, 13:56 UTC GbhackersCybersecuritynewsTechlomedia.Insecurity.snyk.iogithub.com 86% similarity 74.0

Article Content

Browse articles
ThreatCluster

Two critical vulnerabilities in PHP, CVE-2026-12184 and CVE-2026-14355, have been disclosed, posing significant risks to web applications. CVE-2026-12184 allows attackers to trigger denial-of-service (DoS) conditions by exploiting flaws in PHP's HTTP stream-handling logic during TLS initialization failures. This can lead to crashes of the PHP FastCGI Process Manager (PHP-FPM), affecting multiple PHP versions prior to 8.3.32, 8.4.21, and 8.5.6. The second vulnerability, CVE-2026-14355, involves memory corruption in PHP's OpenSSL extension due to improper buffer sizing, which could also lead to application instability. Both vulnerabilities have been patched, and users are urged to update their PHP installations immediately to mitigate risks. The vulnerabilities were identified through automated analysis techniques, highlighting the importance of robust security practices in web development.

Key Points: • CVE-2026-12184 allows remote DoS attacks by exploiting TLS initialization failures. • CVE-2026-14355 involves memory corruption due to improper buffer sizing in OpenSSL. • Website owners must update to patched PHP versions immediately to prevent service disruptions.

ThreatCluster AI

Timeline

2026-06-09
CVE-2026-44963 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-02
CVE-2026-12184 published
A critical vulnerability in PHP's HTTP stream-handling logic was disclosed, allowing remote DoS attacks.
Gbhackers
2026-07-02
CVE-2026-52830 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-03
CVE-2026-14355 published
A moderate-severity vulnerability in PHP's OpenSSL extension was disclosed, related to memory corruption.
Techlomedia.In
2026-07-06
Security updates released
PHP maintainers released patches for both vulnerabilities, urging immediate updates for affected versions.
Cybersecuritynews

Community

Browse all →