PHP CVE-2026-12184 Flaw Enables Remote DoS Attacks on PHP-FPM
PHP CVE-2026-12184 Exposes Web Applications to Remote DoS Attacks Through TLS Handling FlawA newly disclosed high-severity vulnerability in PHP, tracked as CVE-2026-12184, poses a significant threat to web applications by enabling remotely triggerable denial-of-service (DoS) attacks.
The flaw affects several supported PHP branches and can cause entire PHP-FPM process pools to crash, potentially leading to widespread service disruptions.
Security researchers warn that the vulnerability is particularly concerning because it does not require sophisticated exploitation techniques, authentication bypasses, or specially crafted payloads.
Instead, a malicious or misconfigured remote server can exploit weaknesses in PHP’s Transport Layer Security (TLS) error-handling mechanisms to destabilize services and repeatedly trigger application failures.
PHP CVE-2026-12184 Flaw
The vulnerability is documented under GitHub Security Advisory GHSA-mhmq-mmqj-2v39 and affects PHP versions earlier than 8.3.32, 8.4.21, and 8.5.6. According to researchers, the issue resides within the php_stream_url_wrap_http_ex() function, which is responsible for managing HTTP stream operations.
The flaw occurs when TLS initialization fails during outbound HTTPS connections, a situation that can arise due to expired certificates, peer hostname validation errors, invalid certificate chains, or improperly configured remote endpoints.
Under normal circumstances, PHP functions such as php_stream_xport_crypto_setup() and php_stream_xport_crypto_enable() correctly close the affected stream and reset its pointer to NULL when cryptographic initialization encounters an error.
However, the vulnerability stems from a subsequent cleanup routine that incorrectly assumes the stream resource remains valid even after it has been released.
The cleanup process attempts to reset peer-related information without verifying whether the stream still exists, resulting in a use-after-free style condition.
This logic flaw can destabilize the PHP runtime and eventually lead to process crashes. Since exploitation only requires presenting an invalid TLS configuration, attackers can potentially leverage malicious HTTPS endpoints or compromised services to repeatedly induce failures in applications that initiate outbound encrypted connections.
The impact is especially severe in environments running PHP-FPM, which is widely used to power modern high-traffic websites and web applications.
PHP-FPM organizes worker processes into pools that handle incoming requests, and a crash affecting one worker can destabilize or terminate the entire pool. Because many PHP applications rely heavily on outbound HTTPS communications with APIs, cloud platforms, payment gateways, and authentication services, attackers may be able to exploit the vulnerability to trigger repeated worker failures and sustain denial-of-service conditions.
This creates a practical attack vector capable of affecting service availability and operational continuity in production environments.
The vulnerability was discovered by security researcher ndossche using a hybrid static-dynamic analysis methodology, demonstrating the growing effectiveness of automated vulnerability discovery tools in identifying subtle memory management and logic issues in mature software projects.
Modern analysis techniques are increasingly capable of uncovering vulnerabilities that may remain undetected during conventional manual code reviews, particularly in large and widely deployed codebases such as PHP.PHP maintainers addressed the issue through pull request #21031, releasing patched versions 8.3.32, 8.4.21, and 8.5.6.
Security teams are strongly advised to upgrade immediately, as no official workaround or temporary mitigation has been documented. Applying the latest updates remains the primary defense against exploitation.
In parallel, developers also fixed another vulnerability, CVE-2026-14355, affecting PHP’s OpenSSL extension. This moderate-severity issue involves memory corruption within the openssl_encrypt() function when using the AES-WRAP-PAD algorithm.
The flaw arises from improper buffer sizing that fails to account for RFC 5649 padding requirements, potentially causing application instability and limited denial-of-service scenarios.
Although exploitation is considered more complex, security experts recommend prioritizing updates for internet-facing PHP deployments, monitoring PHP-FPM workers for abnormal crashes, and investigating repeated process restarts that could indicate attempted exploitation.
The disclosure reinforces the importance of robust error handling in cryptographic operations and highlights the ongoing challenges of maintaining security and stability in widely used server-side runtimes such as PHP.
No Comment! Be the first one.