CyberSecurity SEE

PHP TLS Vulnerability Allows Remote Server to Cause DoS and Crash the Entire FPM Process

PHP TLS Vulnerability Allows Remote Server to Cause DoS and Crash the Entire FPM Process

A newly disclosed high-severity vulnerability, tracked as CVE-2026-12184, has emerged in PHP, presenting a significant risk to web applications by allowing malicious actors to remotely trigger a denial-of-service (DoS) condition. This flaw can lead to entire PHP-FPM (FastCGI Process Manager) process pools crashing, potentially disrupting web services reliant on PHP.

The specifics of this vulnerability, which has been detailed in the GitHub advisory identified as GHSA-mhmq-mmqj-2v39, indicate that it affects several supported branches of PHP. Specifically, those versions preceding 8.3.32, 8.4.21, and 8.5.6 are vulnerable. The gravity of this issue highlights the importance of timely updates and vigilant management of applications using PHP.

### The Underlying Flaw in PHP’s HTTP Stream Handling

At the heart of this vulnerability lies a flaw in PHP’s HTTP stream-handling logic, specifically within the function php_stream_url_wrap_http_ex. This critical function is responsible for managing internet communications via HTTP and HTTPS. According to the advisory, the bug becomes evident when the Transport Layer Security (TLS) initialization fails during outbound connections. Flaws such as expired certificates or issues with validating peer names can lead to this failure.

In cases where TLS setup fails through functions like php_stream_xport_crypto_setup or php_stream_xport_crypto_enable, the stream resource is intended to be closed and reset to NULL. However, the subsequent cleanup routine erroneously assumes that the stream remains valid and attempts to reset the peer name unconditionally. This logical flaw essentially introduces a condition akin to use-after-free, thereby leading to instability within the PHP processes and ultimately causing a crash.

### The Real-World Impact and Exploitation Risks

The implications of this vulnerability are significant, particularly within PHP-FPM applications, where a single crash could terminate all worker processes. This scenario can lead to total service disruption, making it a tempting target for remote attackers. Given that PHP-FPM is commonly used in high-traffic web applications, the potential for an attack to cause repeated service downtime presents a considerable risk.

Evidence from public discussions about this issue suggests that exploitation does not necessitate crafting specially designed payloads or employing complex attack chains. A malicious or misconfigured remote server can trigger the failure condition simply by presenting an invalid TLS configuration. This accessibility elevates the danger of the vulnerability, especially in environments where PHP applications regularly initiate outbound HTTPS requests.

### Discovery and Remediation

The vulnerability was discovered by security researcher ndossche, who utilized hybrid static-dynamic analysis tools. This finding underscores the effectiveness of automated vulnerability discovery techniques in revealing subtle memory and logic issues in well-established codebases. This growing trend highlights the necessity for continuous scrutiny and adaptation as security landscapes evolve.

Following the discovery, PHP maintainers released a patch through pull request #21031. Immediate action is urged, with users advised to update to patched versions: PHP 8.3.32, 8.4.21, or 8.5.6. As of now, no official workarounds have been documented, making the process of patching crucial for mitigating the vulnerability.

In tandem with this critical vulnerability, another moderate-severity flaw has been identified and patched in PHP’s OpenSSL extension, tracked as CVE-2026-14355. This issue pertains to memory corruption arising in the openssl_encrypt function when employing the AES-WRAP-PAD algorithm. The problem stems from improper buffer sizing that does not adhere to the padding requirements defined in RFC 5649. Although exploitation of this issue is deemed to be more complex, it still poses a threat, potentially resulting in application crashes and limited DoS scenarios.

### Recommendations for Security Teams

Security teams are advised to prioritize patching all internet-facing PHP deployments and to scrutinize application behavior when dealing with outbound TLS connections. Monitoring for abnormal FPM crashes or repeated worker restarts may prove beneficial in detecting potential exploitation attempts.

Ultimately, the disclosure of CVE-2026-12184 serves as a reminder of the critical importance of implementing robust error-handling mechanisms, particularly concerning cryptographic operations in widely used server-side runtimes like PHP. This vulnerability emphasizes the need for ongoing vigilance and proactive measures in safeguarding web applications.

Source link

Exit mobile version