Bug 2425626 (CVE-2025-14177)

Summary: CVE-2025-14177 php: PHP: Information disclosure via getimagesize() function when reading multi-chunk images
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkoehler, lphiri, sdawley
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in PHP. The getimagesize() function may leak uninitialized heap memory when processing images in multi-chunk mode, such as through php://filter. This vulnerability, caused by a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, allows an attacker to potentially disclose sensitive information from the server's memory. This could compromise the confidentiality of data on the affected server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-27 20:01:12 UTC 
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Comment 4 errata-xmlrpc 2026-01-27 17:30:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1412 https://access.redhat.com/errata/RHSA-2026:1412
Comment 5 errata-xmlrpc 2026-01-27 17:55:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1409 https://access.redhat.com/errata/RHSA-2026:1409
Comment 6 errata-xmlrpc 2026-01-27 19:25:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1429 https://access.redhat.com/errata/RHSA-2026:1429
Comment 7 errata-xmlrpc 2026-02-02 01:48:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1628 https://access.redhat.com/errata/RHSA-2026:1628
Comment 8 errata-xmlrpc 2026-02-10 20:13:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2470 https://access.redhat.com/errata/RHSA-2026:2470
Comment 9 errata-xmlrpc 2026-02-17 10:42:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2799 https://access.redhat.com/errata/RHSA-2026:2799