Security update for php8 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20113-1 Final 1 1 2026-01-26T12:37:41Z current 2026-01-26T12:37:41Z 2026-01-26T12:37:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php8 This update for php8 fixes the following issues: Version update to 8.4.16: Security fixes: - CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710). - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711). - CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712). Other fixes: - php8 contains Directories owned by wwwrun but does not require User. (bsc#1255043) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-198 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1255043 SUSE Bug 1255043 https://bugzilla.suse.com/1255710 SUSE Bug 1255710 https://bugzilla.suse.com/1255711 SUSE Bug 1255711 https://bugzilla.suse.com/1255712 SUSE Bug 1255712 https://www.suse.com/security/cve/CVE-2025-14177/ SUSE CVE CVE-2025-14177 page https://www.suse.com/security/cve/CVE-2025-14178/ SUSE CVE CVE-2025-14178 page https://www.suse.com/security/cve/CVE-2025-14180/ SUSE CVE CVE-2025-14180 page openSUSE Leap 16.0 apache2-mod_php8-8.4.16-160000.1.1 php8-8.4.16-160000.1.1 php8-bcmath-8.4.16-160000.1.1 php8-bz2-8.4.16-160000.1.1 php8-calendar-8.4.16-160000.1.1 php8-cli-8.4.16-160000.1.1 php8-ctype-8.4.16-160000.1.1 php8-curl-8.4.16-160000.1.1 php8-dba-8.4.16-160000.1.1 php8-devel-8.4.16-160000.1.1 php8-dom-8.4.16-160000.1.1 php8-embed-8.4.16-160000.1.1 php8-enchant-8.4.16-160000.1.1 php8-exif-8.4.16-160000.1.1 php8-fastcgi-8.4.16-160000.1.1 php8-ffi-8.4.16-160000.1.1 php8-fileinfo-8.4.16-160000.1.1 php8-fpm-8.4.16-160000.1.1 php8-fpm-apache-8.4.16-160000.1.1 php8-ftp-8.4.16-160000.1.1 php8-gd-8.4.16-160000.1.1 php8-gettext-8.4.16-160000.1.1 php8-gmp-8.4.16-160000.1.1 php8-iconv-8.4.16-160000.1.1 php8-intl-8.4.16-160000.1.1 php8-ldap-8.4.16-160000.1.1 php8-mbstring-8.4.16-160000.1.1 php8-mysql-8.4.16-160000.1.1 php8-odbc-8.4.16-160000.1.1 php8-opcache-8.4.16-160000.1.1 php8-openssl-8.4.16-160000.1.1 php8-pcntl-8.4.16-160000.1.1 php8-pdo-8.4.16-160000.1.1 php8-pgsql-8.4.16-160000.1.1 php8-phar-8.4.16-160000.1.1 php8-posix-8.4.16-160000.1.1 php8-readline-8.4.16-160000.1.1 php8-shmop-8.4.16-160000.1.1 php8-snmp-8.4.16-160000.1.1 php8-soap-8.4.16-160000.1.1 php8-sockets-8.4.16-160000.1.1 php8-sodium-8.4.16-160000.1.1 php8-sqlite-8.4.16-160000.1.1 php8-sysvmsg-8.4.16-160000.1.1 php8-sysvsem-8.4.16-160000.1.1 php8-sysvshm-8.4.16-160000.1.1 php8-test-8.4.16-160000.1.1 php8-tidy-8.4.16-160000.1.1 php8-tokenizer-8.4.16-160000.1.1 php8-xmlreader-8.4.16-160000.1.1 php8-xmlwriter-8.4.16-160000.1.1 php8-xsl-8.4.16-160000.1.1 php8-zip-8.4.16-160000.1.1 php8-zlib-8.4.16-160000.1.1 apache2-mod_php8-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-bcmath-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-bz2-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-calendar-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-cli-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-ctype-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-curl-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-dba-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-devel-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-dom-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-embed-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-enchant-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-exif-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-fastcgi-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-ffi-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-fileinfo-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-fpm-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-fpm-apache-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-ftp-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-gd-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-gettext-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-gmp-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-iconv-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-intl-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-ldap-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-mbstring-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-mysql-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-odbc-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-opcache-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-openssl-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-pcntl-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-pdo-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-pgsql-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-phar-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-posix-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-readline-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-shmop-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-snmp-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-soap-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-sockets-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-sodium-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-sqlite-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-sysvmsg-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-sysvsem-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-sysvshm-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-test-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-tidy-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-tokenizer-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-xmlreader-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-xmlwriter-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-xsl-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-zip-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 php8-zlib-8.4.16-160000.1.1 as a component of openSUSE Leap 16.0 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. CVE-2025-14177 openSUSE Leap 16.0:apache2-mod_php8-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-bcmath-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-bz2-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-calendar-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-cli-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ctype-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-curl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-dba-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-devel-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-dom-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-embed-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-enchant-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-exif-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fastcgi-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ffi-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fileinfo-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fpm-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fpm-apache-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ftp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gd-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gettext-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gmp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-iconv-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-intl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ldap-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-mbstring-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-mysql-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-odbc-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-opcache-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-openssl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pcntl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pdo-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pgsql-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-phar-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-posix-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-readline-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-shmop-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-snmp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-soap-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sockets-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sodium-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sqlite-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvmsg-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvsem-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvshm-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-test-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-tidy-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-tokenizer-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xmlreader-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xmlwriter-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xsl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-zip-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-zlib-8.4.16-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14177.html CVE-2025-14177 https://bugzilla.suse.com/1255710 SUSE Bug 1255710 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. CVE-2025-14178 openSUSE Leap 16.0:apache2-mod_php8-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-bcmath-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-bz2-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-calendar-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-cli-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ctype-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-curl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-dba-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-devel-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-dom-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-embed-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-enchant-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-exif-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fastcgi-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ffi-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fileinfo-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fpm-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fpm-apache-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ftp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gd-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gettext-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gmp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-iconv-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-intl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ldap-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-mbstring-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-mysql-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-odbc-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-opcache-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-openssl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pcntl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pdo-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pgsql-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-phar-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-posix-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-readline-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-shmop-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-snmp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-soap-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sockets-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sodium-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sqlite-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvmsg-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvsem-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvshm-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-test-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-tidy-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-tokenizer-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xmlreader-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xmlwriter-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xsl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-zip-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-zlib-8.4.16-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14178.html CVE-2025-14178 https://bugzilla.suse.com/1255711 SUSE Bug 1255711 In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. CVE-2025-14180 openSUSE Leap 16.0:apache2-mod_php8-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-bcmath-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-bz2-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-calendar-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-cli-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ctype-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-curl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-dba-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-devel-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-dom-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-embed-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-enchant-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-exif-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fastcgi-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ffi-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fileinfo-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fpm-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-fpm-apache-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ftp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gd-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gettext-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-gmp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-iconv-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-intl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-ldap-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-mbstring-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-mysql-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-odbc-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-opcache-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-openssl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pcntl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pdo-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-pgsql-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-phar-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-posix-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-readline-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-shmop-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-snmp-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-soap-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sockets-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sodium-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sqlite-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvmsg-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvsem-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-sysvshm-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-test-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-tidy-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-tokenizer-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xmlreader-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xmlwriter-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-xsl-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-zip-8.4.16-160000.1.1 openSUSE Leap 16.0:php8-zlib-8.4.16-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14180.html CVE-2025-14180 https://bugzilla.suse.com/1255712 SUSE Bug 1255712