EXECUTIVE SUMMARY
A high-severity Denial-of-Service (DoS) vulnerability (CVE-2026-12184) has been identified in PHP’s TLS stream handling functionality. The vulnerability arises from improper handling of failures during TLS session initialization, allowing a malicious remote endpoint to cause PHP applications to crash or become unavailable. Organizations operating Internet-facing PHP applications that establish TLS/SSL connections are advised to apply the latest security updates to mitigate the risk of service disruption.
- CVE: CVE-2026-12184
- CVSS: 8.7
- Active Region: Global
- Affected Sector: Government, Financial Services, Healthcare, Retail, IT, SaaS, and organizations hosting PHP-based web applications
- Affected Product: PHP (TLS Stream Handling)
- Severity: High (Remote Denial-of-Service)
- Published Date: July 06, 2026
TECHNICAL DETAILS
CVE-2026-12184 is a high-severity Denial-of-Service (DoS) vulnerability affecting PHP’s HTTP/TLS stream wrapper. The flaw resides in the php_stream_url_wrap_http_ex() function, where improper error handling occurs during TLS session initialization. When TLS setup fails through php_stream_xport_crypto_setup() or php_stream_xport_crypto_enable(), the underlying stream is closed and reset to NULL. However, PHP subsequently attempts to perform peer-name cleanup on the invalid stream, resulting in a null pointer dereference that can terminate the PHP process.
- Target: PHP applications that use the built-in HTTP stream wrapper to establish outbound HTTPS/TLS connections, including web applications, APIs, and services communicating with external systems over encrypted channels.
- Root Cause: Improper validation and cleanup of TLS stream objects after a failed TLS handshake. The application continues to access a stream that has already been released, resulting in a null pointer dereference and application crash.
- Prerequisite For Exploitation: Exploitation requires a vulnerable PHP application to initiate an outbound HTTPS/TLS connection to a malicious or attacker-controlled……



