Detections
Analytics

SUSE SLES15 Security Update : php8 (SUSE-SU-2026:0086-1)

high Nessus Plugin ID 282545

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0086-1 advisory.

 Security fixes:

 - CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710).
 - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711).
 - CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712).

 Other fixes:

 Version 8.3.29 Core:
 Sync all boost.context files with release 1.86.0.
 Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter).
 Fixed bug GH-20286 (use-after-destroy during userland stream_close()).
 Bz2:
 Fix assertion failures resulting in crashes with stream filter object parameters.
 Date:
 Fix crashes when trying to instantiate uninstantiable classes via date static constructors.
 DOM:
 Fix missing NUL byte check on C14NFile().
 Fibers:
 Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value).
 FTP:
 Fixed bug GH-20601 (ftp_connect overflow on timeout).
 GD:
 Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
 Fixed bug GH-20602 (imagescale overflow with large height values).
 Intl:
 Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants).
 LibXML:
 Fix some deprecations on newer libxml versions regarding input buffer/parser handling.
 MbString:
 Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
 Fixed bug GH-20492 (mbstring compile warning due to non-strings).
 MySQLnd:
 Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets).
 Opcache:
 Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer).
 PDO:
 Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar:
 Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub).
 Fix broken return value of fflush() for phar file entries.
 Fix assertion failure when fseeking a phar file out of bounds.
 PHPDBG:
 Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
 SPL:
 Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization).
 Standard:
 Fix memory leak in array_diff() with custom type checks.
 Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures).
 Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
 Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy:
 Fixed bug GH-20374 (PHP with tidy and custom-tags).
 XML:
 Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback).
 Zip:
 Fix crash in property existence test.
 Don't truncate return value of zip_fread() with user sizes.
 Zlib:
 Fix assertion failures resulting in crashes with stream filter object parameters.
 Version 8.3.28 Core:
 Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv).
 Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference).
 Fixed bug GH-19844 (Don't bail when closing resources on shutdown).
 Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error).
 Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval).
 DOM:
 Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work).
 Exif:
 Fix possible memory leak when tag is empty.
 FPM:
 Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution).
 FTP:
 Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes).
 GD:
 Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided).
 Intl:
 Fix memory leak on error in locale_filter_matches().
 LibXML:
 Fix not thread safe schema/relaxng calls.
 MySQLnd:
 Fixed bug GH-8978 (SSL certificate verification fails (port doubled)).
 Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL).
 Opcache:
 Fixed bug GH-20081 (access to uninitialized vars in preload_load()).
 Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15).
 PgSql:
 Fix memory leak when first string conversion fails.
 Fix segfaults when attempting to fetch row into a non-instantiable class name.
 Phar:
 Fix memory leak of argument in webPhar.
 Fix memory leak when setAlias() fails.
 Fix a bunch of memory leaks in phar_parse_zipfile() error handling.
 Fix file descriptor/memory leak when opening central fp fails.
 Fix memleak+UAF when opening temp stream in buildFromDirectory() fails.
 Fix potential buffer length truncation due to usage of type int instead of type size_t.
 Fix memory leak when openssl polyfill returns garbage.
 Fix file descriptor leak in phar_zip_flush() on failure.
 Fix memory leak when opening temp file fails while trying to open gzip-compressed archive.
 Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects).
 Random:
 Fix Randomizer::__serialize() w.r.t. INDIRECTs.
 SimpleXML:
 Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work).
 Standard:
 Fix shm corruption with coercion in options of unserialize().
 Streams:
 Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64.
 Tidy:
 Fixed GH-19021 (improved tidyOptGetCategory detection).
 Fix UAF in tidy when tidySetErrorBuffer() fails.
 XMLReader:
 Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
 Windows:
 Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket).
 Zip:
 Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls.
 Version 8.3.27 Core:
 Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks).
 Fixed hard_timeout with --enable-zend-max-execution-timers.
 Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered).
 Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash).
 Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array).
 Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured).
 Fixed bug GH-20002 (Broken build on *BSD with MSAN).
 CLI:
 Fix useless 'Failed to poll event' error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS.
 Curl:
 Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle.
 Fix curl build and test failures with version 8.16.
 Date:
 Fixed GH-17159: 'P' format for ::createFromFormat swallows string literals.
 DBA:
 Fixed GH-19885 (dba_fetch() overflow on skip argument).
 GD:
 Fixed GH-19955 (imagefttext() memory leak).
 MySQLnd:
 Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter).
 Phar:
 Fix memory leak and invalid continuation after tar header writing fails.
 Fix memory leaks when creating temp file fails when applying zip signature.
 SimpleXML:
 Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)).
 Soap:
 Fixed bug GH-19784 (SoapServer memory leak).
 Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash).
 Standard:
 Fixed bug GH-12265 (Cloning an object breaks serialization recursion).
 Fixed bug GH-19701 (Serialize/deserialize loses some data).
 Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()).
 Fixed bug GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort).
 Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set).
 Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null).
 Streams:
 Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
 Fixed bug GH-17345 (Bug #35916 was not completely fixed).
 Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream.
 XMLReader:
 Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure).
 Zip:
 Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()).
 Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()).
 Zlib:
 Fixed bug GH-19922 (Double free on gzopen).
 Version 8.3.26 Core:
 Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers 'Constant already defined' warning).
 Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow).
 Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references).
 Fixed bug GH-19613 (Stale array iterator pointer).
 Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge).
 Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0).
 Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant).
 CLI:
 Fixed bug GH-19461 (Improve error message on listening error with IPv6 address).
 Date:
 Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.
 DOM:
 Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug).
 FPM:
 Fixed failed debug assertion when php_admin_value setting fails.
 GD:
 Fixed bug GH-19579 (imagefilledellipse underflow on width argument).
 Intl:
 Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter).
 OpenSSL:
 Fixed bug GH-19245 (Success error message on TLS stream accept failure).
 PGSQL:
 Fixed bug GH-19485 (potential use after free when using persistent pgsql connections).
 Phar:
 Fixed memory leaks when verifying OpenSSL signature.
 Fix memory leak in phar tar temporary file error handling code.
 Fix metadata leak when phar convert logic fails.
 Fix memory leak on failure in phar_convert_to_other().
 Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF).
 Standard:
 Fixed bug GH-16649 (UAF during array_splice).
 Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator).
 Streams:
 Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
 Fix OSS-Fuzz #385993744.
 Tidy:
 Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory.
 Zip:
 Fix memory leak in zip when encountering empty glob result.
 Version 8.3.25 Core:
 Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
 Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking).
 Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr).
 Fixed bug GH-19305 (Operands may be being released during comparison).
 Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure).
 Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator).
 Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes).
 Fixed bug GH-18736 (Circumvented type check with return by ref + finally).
 Fixed zend call stack size for macOs/arm64.
 Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming).
 Calendar:
 Fixed bug GH-19371 (integer overflow in calendar.c).
 FTP:
 Fix theoretical issues with hrtime() not being available.
 GD:
 Fix incorrect comparison with result of php_stream_can_cast().
 Hash:
 Fix crash on clone failure.
 Intl:
 Fixed GH-19261: msgfmt_parse_message leaks on message creation failure.
 Fix return value on failure for resourcebundle count handler.
 LDAP:
 Fixed bug GH-18529 (additional inheriting of TLS int options).
 LibXML:
 Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free).
 MbString:
 Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown).
 Opcache:
 Reset global pointers to prevent use-after-free in zend_jit_status().
 OpenSSL:
 Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check).
 Fix error return check of EVP_CIPHER_CTX_ctrl().
 Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param).
 PDO Pgsql:
 Fixed dangling pointer access on _pdo_pgsql_trim_message helper.
 Readline:
 Fixed bug GH-19250 and bug #51360 (Invalid conftest for rl_pending_input).
 SOAP:
 Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref).
 Sockets:
 Fix some potential crashes on incorrect argument value.
 Standard:
 Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache).
 Fix theoretical issues with hrtime() not being available.
 Fixed bug GH-19300 (Nested array_multisort invocation with error breaks).
 Windows:
 Free opened_path when opened_path_len >= MAXPATHLEN.
 Version 8.3.24 Calendar:
 Fixed jewishtojd overflow on year argument.
 Core:
 Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order).
 Fix OSS-Fuzz #427814456.
 Fix OSS-Fuzz #428983568 and #428760800.
 Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c.
 Curl:
 Fix memory leaks when returning refcounted value from curl callback.
 Remove incorrect string release.
 LDAP:
 Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID.
 MbString:
 Fixed bug GH-18901 (integer overflow mb_split).
 OCI8:
 Fixed bug GH-18873 (OCI_RETURN_LOBS flag causes oci8 to leak memory).
 Opcache:
 Fixed bug GH-18639 (Internal class aliases can break preloading + JIT).
 Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c).
 OpenSSL:
 Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server).
 PCNTL:
 Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend- max-execution-timers).
 Phar:
 Fix stream double free in phar.
 Fix phar crash and file corruption with SplFileObject.
 SOAP:
 Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction).
 Fix memory leak when URL parsing fails in redirect.
 SPL:
 Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash).
 Standard:
 Fix misleading errors in printf().
 Fix RCN violations in array functions.
 Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
 Streams:
 Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error).
 Zip:
 Fix leak when path is too long in ZipArchive::extractTo().

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1255710

https://bugzilla.suse.com/1255711

https://bugzilla.suse.com/1255712

http://www.nessus.org/u?80d14b2b

https://www.suse.com/security/cve/CVE-2025-14177

https://www.suse.com/security/cve/CVE-2025-14178

https://www.suse.com/security/cve/CVE-2025-14180

Plugin Details

Severity: High

ID: 282545

File Name: suse_SU-2026-0086-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/10/2026

Updated: 1/10/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2025-14178

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-14180

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:apache2-mod_php8, p-cpe:/a:novell:suse_linux:php8, p-cpe:/a:novell:suse_linux:php8-bcmath, p-cpe:/a:novell:suse_linux:php8-bz2, p-cpe:/a:novell:suse_linux:php8-calendar, p-cpe:/a:novell:suse_linux:php8-cli, p-cpe:/a:novell:suse_linux:php8-ctype, p-cpe:/a:novell:suse_linux:php8-curl, p-cpe:/a:novell:suse_linux:php8-dba, p-cpe:/a:novell:suse_linux:php8-devel, p-cpe:/a:novell:suse_linux:php8-dom, p-cpe:/a:novell:suse_linux:php8-embed, p-cpe:/a:novell:suse_linux:php8-enchant, p-cpe:/a:novell:suse_linux:php8-exif, p-cpe:/a:novell:suse_linux:php8-fastcgi, p-cpe:/a:novell:suse_linux:php8-fileinfo, p-cpe:/a:novell:suse_linux:php8-fpm, p-cpe:/a:novell:suse_linux:php8-ftp, p-cpe:/a:novell:suse_linux:php8-gd, p-cpe:/a:novell:suse_linux:php8-gettext, p-cpe:/a:novell:suse_linux:php8-gmp, p-cpe:/a:novell:suse_linux:php8-iconv, p-cpe:/a:novell:suse_linux:php8-intl, p-cpe:/a:novell:suse_linux:php8-ldap, p-cpe:/a:novell:suse_linux:php8-mbstring, p-cpe:/a:novell:suse_linux:php8-mysql, p-cpe:/a:novell:suse_linux:php8-odbc, p-cpe:/a:novell:suse_linux:php8-opcache, p-cpe:/a:novell:suse_linux:php8-openssl, p-cpe:/a:novell:suse_linux:php8-pcntl, p-cpe:/a:novell:suse_linux:php8-pdo, p-cpe:/a:novell:suse_linux:php8-pgsql, p-cpe:/a:novell:suse_linux:php8-phar, p-cpe:/a:novell:suse_linux:php8-posix, p-cpe:/a:novell:suse_linux:php8-readline, p-cpe:/a:novell:suse_linux:php8-shmop, p-cpe:/a:novell:suse_linux:php8-snmp, p-cpe:/a:novell:suse_linux:php8-soap, p-cpe:/a:novell:suse_linux:php8-sockets, p-cpe:/a:novell:suse_linux:php8-sodium, p-cpe:/a:novell:suse_linux:php8-sqlite, p-cpe:/a:novell:suse_linux:php8-sysvmsg, p-cpe:/a:novell:suse_linux:php8-sysvsem, p-cpe:/a:novell:suse_linux:php8-sysvshm, p-cpe:/a:novell:suse_linux:php8-test, p-cpe:/a:novell:suse_linux:php8-tidy, p-cpe:/a:novell:suse_linux:php8-tokenizer, p-cpe:/a:novell:suse_linux:php8-xmlreader, p-cpe:/a:novell:suse_linux:php8-xmlwriter, p-cpe:/a:novell:suse_linux:php8-xsl, p-cpe:/a:novell:suse_linux:php8-zip, p-cpe:/a:novell:suse_linux:php8-zlib

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/9/2026

Vulnerability Publication Date: 12/17/2025

Reference Information

CVE: CVE-2025-14177, CVE-2025-14178, CVE-2025-14180

IAVA: 2026-A-0020

SuSE: SUSE-SU-2026:0086-1