🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-14355 is a memory corruption vulnerability in PHP’s OpenSSL extension, specifically triggered when using the AES-WRAP-PAD encryption mode via the openssl_encrypt function. Memory corruption flaws of this type can potentially allow attackers to crash affected services or, in more severe cases, execute arbitrary code. This is particularly relevant to Azure-hosted PHP workloads where untrusted input may influence encryption operations.

Security Architect’s Take: Audit any Azure-hosted PHP applications using openssl_encrypt with AES-WRAP-PAD and prioritise patching to a fixed PHP release; consider applying Web Application Firewall rules to restrict untrusted input reaching cryptographic functions until a patch is deployed.

Original advisory: CVE-2026-14355 ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD