The advisory covers three distinct vulnerabilities in PHP 8.3 as packaged for Red Hat Enterprise Linux 9. CVE-2025-14178 is a heap-based buffer overflow in array_merge(), which could lead to memory corruption. CVE-2025-14177 involves information disclosure through the getimagesize() function when handling multi-chunk images. CVE-2025-14180 is a denial of service vulnerability caused by invalid character sequences in PDO PostgreSQL prepared statements. Red Hat has issued an update to the php:8.3 module that addresses these issues. The advisory references bugzilla entries for each CVE and provides links for applying the update. The vulnerabilities are rated as having an Important security impact by Red Hat Product Security. No CVSS scores are provided in the advisory.

Successful exploitation of these vulnerabilities could result in memory corruption (heap-based buffer overflow), unauthorized information disclosure, or denial of service conditions in PHP applications running on affected Red Hat Enterprise Linux 9 systems. The advisory does not report any known active exploitation in the wild. The impact is rated as Important by Red Hat, indicating a high severity level that could affect confidentiality, integrity, or availability of affected systems.

Red Hat has released an updated php:8.3 module for Red Hat Enterprise Linux 9 that fixes these vulnerabilities. Users should apply the update as described in the Red Hat advisory (RHSA-2026:1429) and the referenced article https://access.redhat.com/articles/11258 to remediate the issues. Since this is a traditional software package and not a cloud service, remediation requires applying the vendor-provided update. There is no indication that no action is required or that these issues are already mitigated without patching.