Security update for php8 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0370-1 Final 1 1 2026-02-03T15:20:49Z current 2026-02-03T15:20:49Z 2026-02-03T15:20:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php8 This update for php8 fixes the following issues: - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-370 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260370-1/ Link for SUSE-SU-2026:0370-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024036.html E-Mail link for SUSE-SU-2026:0370-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1255711 SUSE Bug 1255711 https://www.suse.com/security/cve/CVE-2025-14178/ SUSE CVE CVE-2025-14178 page apache2-mod_php8-8.0.30-150400.4.60.1 php8-8.0.30-150400.4.60.1 php8-bcmath-8.0.30-150400.4.60.1 php8-bz2-8.0.30-150400.4.60.1 php8-calendar-8.0.30-150400.4.60.1 php8-cli-8.0.30-150400.4.60.1 php8-ctype-8.0.30-150400.4.60.1 php8-curl-8.0.30-150400.4.60.1 php8-dba-8.0.30-150400.4.60.1 php8-devel-8.0.30-150400.4.60.1 php8-dom-8.0.30-150400.4.60.1 php8-embed-8.0.30-150400.4.60.1 php8-enchant-8.0.30-150400.4.60.1 php8-exif-8.0.30-150400.4.60.1 php8-fastcgi-8.0.30-150400.4.60.1 php8-fileinfo-8.0.30-150400.4.60.1 php8-fpm-8.0.30-150400.4.60.1 php8-ftp-8.0.30-150400.4.60.1 php8-gd-8.0.30-150400.4.60.1 php8-gettext-8.0.30-150400.4.60.1 php8-gmp-8.0.30-150400.4.60.1 php8-iconv-8.0.30-150400.4.60.1 php8-intl-8.0.30-150400.4.60.1 php8-ldap-8.0.30-150400.4.60.1 php8-mbstring-8.0.30-150400.4.60.1 php8-mysql-8.0.30-150400.4.60.1 php8-odbc-8.0.30-150400.4.60.1 php8-opcache-8.0.30-150400.4.60.1 php8-openssl-8.0.30-150400.4.60.1 php8-pcntl-8.0.30-150400.4.60.1 php8-pdo-8.0.30-150400.4.60.1 php8-pgsql-8.0.30-150400.4.60.1 php8-phar-8.0.30-150400.4.60.1 php8-posix-8.0.30-150400.4.60.1 php8-readline-8.0.30-150400.4.60.1 php8-shmop-8.0.30-150400.4.60.1 php8-snmp-8.0.30-150400.4.60.1 php8-soap-8.0.30-150400.4.60.1 php8-sockets-8.0.30-150400.4.60.1 php8-sodium-8.0.30-150400.4.60.1 php8-sqlite-8.0.30-150400.4.60.1 php8-sysvmsg-8.0.30-150400.4.60.1 php8-sysvsem-8.0.30-150400.4.60.1 php8-sysvshm-8.0.30-150400.4.60.1 php8-test-8.0.30-150400.4.60.1 php8-tidy-8.0.30-150400.4.60.1 php8-tokenizer-8.0.30-150400.4.60.1 php8-xmlreader-8.0.30-150400.4.60.1 php8-xmlwriter-8.0.30-150400.4.60.1 php8-xsl-8.0.30-150400.4.60.1 php8-zip-8.0.30-150400.4.60.1 php8-zlib-8.0.30-150400.4.60.1 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. CVE-2025-14178 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260370-1/ https://www.suse.com/security/cve/CVE-2025-14178.html CVE-2025-14178 https://bugzilla.suse.com/1255711 SUSE Bug 1255711