CVE-2025-14177
Publication date 27 December 2025
Last updated 12 January 2026
Ubuntu priority
Description
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php5 | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Not affected
|
|
| php7.0 | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| php7.2 | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| php7.4 | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
|
| php8.1 | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Not affected
|
|
| php8.3 | ||
| 24.04 LTS noble |
Fixed 8.3.6-0ubuntu0.24.04.6
|
|
| 22.04 LTS jammy | Not in release | |
| php8.4 | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
References
Related Ubuntu Security Notices (USN)
- USN-7953-1
- PHP vulnerabilities
- 12 January 2026