Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

openSUSE php8 Moderate Update 2026-20113-1 Heap Overflow Risk

opensuse
Calendar Grey January 27, 2026
Dist Opensuse Esm H88
An important openSUSE security update for php8 fixes three issues and four bugs that need attention from users.
An update that solves 3 vulnerabilities and has 4 bug fixes can now be installed.

Description

This update for php8 fixes the following issues:

Version update to 8.4.16:

Security fixes:

- CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710).

- CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711).

- CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712).

Other fixes:

- php8 contains Directories owned by wwwrun but does not require User. (bsc#1255043)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-198=1

Patch

Package List

- openSUSE Leap 16.0:

apache2-mod_php8-8.4.16-160000.1.1

php8-8.4.16-160000.1.1

php8-bcmath-8.4.16-160000.1.1

php8-bz2-8.4.16-160000.1.1

php8-calendar-8.4.16-160000.1.1

php8-cli-8.4.16-160000.1.1

php8-ctype-8.4.16-160000.1.1

php8-curl-8.4.16-160000.1.1

php8-dba-8.4.16-160000.1.1

php8-devel-8.4.16-160000.1.1

php8-dom-8.4.16-160000.1.1

php8-embed-8.4.16-160000.1.1

php8-enchant-8.4.16-160000.1.1

php8-exif-8.4.16-160000.1.1

php8-fastcgi-8.4.16-160000.1.1

php8-ffi-8.4.16-160000.1.1

php8-fileinfo-8.4.16-160000.1.1

php8-fpm-8.4.16-160000.1.1

php8-fpm-apache-8.4.16-160000.1.1

php8-ftp-8.4.16-160000.1.1

php8-gd-8.4.16-160000.1.1

php8-gettext-8.4.16-160000.1.1

php8-gmp-8.4.16-160000.1.1

php8-iconv-8.4.16-160000.1.1

php8-intl-8.4.16-160000.1.1

php8-ldap-8.4.16-160000.1.1

php8-mbstring-8.4.16-160000.1.1

php8-mysql-8.4.16-160000.1.1

php8-odbc-8.4.16-160000.1.1

php8-opcache-8.4.16-160000.1.1

php8-openssl-8.4.16-160000.1.1

php8-pcntl-8.4.16-160000.1.1

php8-pdo-8.4.16-160000.1.1

php8-pgsql-8.4.16-160000.1.1

php8-phar-8.4.16-160000.1.1

p...

Read the Full Advisory

References

* bsc#1255043

* bsc#1255710

* bsc#1255711

* bsc#1255712

References:

* https://www.suse.com/security/cve/CVE-2025-14177.html

* https://www.suse.com/security/cve/CVE-2025-14178.html

* https://www.suse.com/security/cve/CVE-2025-14180.html

Announcement ID: openSUSE-SU-2026:20113-1
Rating: moderate
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here