Bug 2425625 (CVE-2025-14178)

Summary: CVE-2025-14178 php: heap-based buffer overflow in array_merge()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkoehler, lphiri, rhel-process-autobot, sdawley, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in PHP. A heap-based buffer overflow occurs in the array_merge function when the total element count of packed arrays exceeds the 32-bit limit or the internal HT_MAX_SIZE due to an integer overflow in the precomputation of element counts using the zend_hash_num_elements function, causing a process crash and potentially memory corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-27 20:01:08 UTC 
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Comment 2 errata-xmlrpc 2026-01-26 10:24:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1169 https://access.redhat.com/errata/RHSA-2026:1169
Comment 3 errata-xmlrpc 2026-01-26 11:35:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1185 https://access.redhat.com/errata/RHSA-2026:1185
Comment 4 errata-xmlrpc 2026-01-26 12:05:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1187 https://access.redhat.com/errata/RHSA-2026:1187
Comment 5 errata-xmlrpc 2026-01-26 12:47:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1190 https://access.redhat.com/errata/RHSA-2026:1190
Comment 6 errata-xmlrpc 2026-01-27 17:30:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1412 https://access.redhat.com/errata/RHSA-2026:1412
Comment 7 errata-xmlrpc 2026-01-27 17:55:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1409 https://access.redhat.com/errata/RHSA-2026:1409
Comment 8 errata-xmlrpc 2026-01-27 19:25:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1429 https://access.redhat.com/errata/RHSA-2026:1429
Comment 9 errata-xmlrpc 2026-02-02 01:48:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1628 https://access.redhat.com/errata/RHSA-2026:1628
Comment 10 errata-xmlrpc 2026-02-10 20:13:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2470 https://access.redhat.com/errata/RHSA-2026:2470
Comment 11 errata-xmlrpc 2026-02-17 10:42:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2799 https://access.redhat.com/errata/RHSA-2026:2799
Comment 12 errata-xmlrpc 2026-03-09 14:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:4077 https://access.redhat.com/errata/RHSA-2026:4077
Comment 13 errata-xmlrpc 2026-03-09 15:16:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:4086 https://access.redhat.com/errata/RHSA-2026:4086
Comment 14 errata-xmlrpc 2026-03-10 17:28:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:4212 https://access.redhat.com/errata/RHSA-2026:4212
Comment 15 errata-xmlrpc 2026-03-11 06:49:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4266 https://access.redhat.com/errata/RHSA-2026:4266
Comment 16 errata-xmlrpc 2026-03-12 15:26:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:4507 https://access.redhat.com/errata/RHSA-2026:4507
Comment 17 errata-xmlrpc 2026-03-12 16:09:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:4514 https://access.redhat.com/errata/RHSA-2026:4514
Comment 18 errata-xmlrpc 2026-03-12 16:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:4517 https://access.redhat.com/errata/RHSA-2026:4517