CVE-2025-14180

Updated: 2026-01-10 02:53:52.599125

Description:

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0.0
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Alpine Linux 3.22 php 7.3 7.5 HIGH Not Vulnerable 2026-02-16 14:41:22
Alpine Linux 3.22 php 7.4 7.5 HIGH Not Vulnerable 2026-01-23 13:40:08
Alpine Linux 3.22 php 8.1 7.5 HIGH Released CLSA-2026:1771348225 2026-02-18 17:42:40
Debian 10 php 8.0 7.5 HIGH Not Vulnerable 2026-01-06 08:40:21
Debian 10 php 5.6 7.5 HIGH Not Vulnerable 2026-01-06 08:40:53
Debian 10 php 7.3 7.5 HIGH Not Vulnerable 2026-01-06 08:40:22
Debian 10 php 8.2 7.5 HIGH Released CLSA-2026:1768511374 2026-01-15 22:33:03
Debian 10 php 8.1 7.5 HIGH Released CLSA-2026:1768510758 2026-01-15 22:33:05
Debian 10 php 7.0 7.5 HIGH Not Vulnerable 2026-01-06 08:40:24
Debian 10 php 7.1 7.5 HIGH Not Vulnerable 2026-01-06 08:40:23
Total: 140