Red Hat Security Advisory: php security update
This Red Hat security advisory addresses multiple vulnerabilities in PHP, including a heap-based buffer overflow in the array_merge() function (CVE-2025-14178), an information disclosure issue via the getimagesize() function when processing multi-chunk images (CVE-2025-14177), and a denial of service vulnerability triggered by invalid character sequences in PDO PostgreSQL prepared statements (CVE-2025-14180). The vulnerabilities affect Red Hat Enterprise Linux 10 and related packages. Red Hat has released updated PHP packages to remediate these issues. The advisory rates the security impact as Important (high severity).
AI Analysis
Technical Summary
The advisory covers three PHP vulnerabilities: CVE-2025-14178 is a heap-based buffer overflow in array_merge(), which could lead to memory corruption; CVE-2025-14177 involves information disclosure through the getimagesize() function when reading multi-chunk images; CVE-2025-14180 is a denial of service vulnerability caused by invalid character sequences in PDO PostgreSQL prepared statements. These issues affect PHP packages distributed with Red Hat Enterprise Linux 10 across multiple architectures. Red Hat has issued updated packages to fix these vulnerabilities as detailed in advisory RHSA-2026:1628.
Potential Impact
Successful exploitation of CVE-2025-14178 could result in memory corruption due to a heap-based buffer overflow. CVE-2025-14177 may allow unauthorized disclosure of information via crafted image files. CVE-2025-14180 can cause denial of service conditions by sending invalid character sequences in PDO PostgreSQL prepared statements. These vulnerabilities collectively impact the confidentiality, integrity, and availability of systems running affected PHP versions on Red Hat Enterprise Linux 10.
Mitigation Recommendations
Red Hat has released updated PHP packages that address these vulnerabilities. Users should apply the security update for PHP on Red Hat Enterprise Linux 10 as described in Red Hat advisory RHSA-2026:1628 and the associated article https://access.redhat.com/articles/11258. Applying these official updates will remediate the vulnerabilities. No additional mitigation steps are indicated by the vendor advisory.
Red Hat Security Advisory: php security update
Description
This Red Hat security advisory addresses multiple vulnerabilities in PHP, including a heap-based buffer overflow in the array_merge() function (CVE-2025-14178), an information disclosure issue via the getimagesize() function when processing multi-chunk images (CVE-2025-14177), and a denial of service vulnerability triggered by invalid character sequences in PDO PostgreSQL prepared statements (CVE-2025-14180). The vulnerabilities affect Red Hat Enterprise Linux 10 and related packages. Red Hat has released updated PHP packages to remediate these issues. The advisory rates the security impact as Important (high severity).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The advisory covers three PHP vulnerabilities: CVE-2025-14178 is a heap-based buffer overflow in array_merge(), which could lead to memory corruption; CVE-2025-14177 involves information disclosure through the getimagesize() function when reading multi-chunk images; CVE-2025-14180 is a denial of service vulnerability caused by invalid character sequences in PDO PostgreSQL prepared statements. These issues affect PHP packages distributed with Red Hat Enterprise Linux 10 across multiple architectures. Red Hat has issued updated packages to fix these vulnerabilities as detailed in advisory RHSA-2026:1628.
Potential Impact
Successful exploitation of CVE-2025-14178 could result in memory corruption due to a heap-based buffer overflow. CVE-2025-14177 may allow unauthorized disclosure of information via crafted image files. CVE-2025-14180 can cause denial of service conditions by sending invalid character sequences in PDO PostgreSQL prepared statements. These vulnerabilities collectively impact the confidentiality, integrity, and availability of systems running affected PHP versions on Red Hat Enterprise Linux 10.
Mitigation Recommendations
Red Hat has released updated PHP packages that address these vulnerabilities. Users should apply the security update for PHP on Red Hat Enterprise Linux 10 as described in Red Hat advisory RHSA-2026:1628 and the associated article https://access.redhat.com/articles/11258. Applying these official updates will remediate the vulnerabilities. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:1628
- Cve Count
- 3
- Additional Cves
- ["CVE-2025-14178","CVE-2025-14180"]
- Cvss Version
- null
Threat ID: 6a248d78e29bf47b50d65334
Added to database: 6/6/2026, 9:13:28 PM
Last enriched: 6/6/2026, 9:19:44 PM
Last updated: 6/7/2026, 4:26:25 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.