CVE-2025-14179
Publication date 10 May 2026
Last updated 6 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQLÂ statements.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php7.0 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Fixed 7.0.33-0ubuntu0.16.04.16+esm19
|
|
| php5 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| php7.2 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| php7.4 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| php8.1 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 8.1.2-1ubuntu2.24
|
|
| php8.3 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble |
Fixed 8.3.6-0ubuntu0.24.04.9
|
|
| 22.04 LTS jammy | Not in release | |
| php8.4 | 26.04 LTS resolute | Not in release |
| 25.10 questing |
Fixed 8.4.11-1ubuntu1.2
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| php8.5 | 26.04 LTS resolute |
Fixed 8.5.4-0ubuntu1.1
|
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
Severity score breakdown
CVSS version:
Base score
7.4 · High
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber
Base score
8.1 · High
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8336-1
- PHP vulnerabilities
- 28 May 2026
- USN-8513-1
- PHP vulnerabilities
- 6 July 2026