🟠 High | Source: Microsoft Security Response Center
CVE-2026-14355 is a memory corruption vulnerability in PHP’s OpenSSL extension, specifically triggered when using the AES-WRAP-PAD encryption mode via the openssl_encrypt function. Memory corruption flaws of this type can potentially allow attackers to crash affected services or, in more severe cases, execute arbitrary code. This is particularly relevant to Azure-hosted PHP workloads where untrusted input may influence encryption operations.
Security Architect’s Take: Audit any Azure-hosted PHP applications using openssl_encrypt with AES-WRAP-PAD and prioritise patching to a fixed PHP release; consider applying Web Application Firewall rules to restrict untrusted input reaching cryptographic functions until a patch is deployed.
Original advisory: CVE-2026-14355 ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD