CVE-2026-44167
high
CVSS v3
7.5
CVSS v2
—
VIR risk
7.5
Description
phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID()
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-44167
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.0.42-1+deb12u5 |
| debian | bullseye | affected | |
| debian | forky | fixed | 2.0.54-1 |
| debian | sid | fixed | 2.0.54-1 |
| debian | trixie | fixed | 2.0.48-3+deb13u3 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | phpseclib/phpseclib | >=0.1.1,<=1.0.28|>=3.0.0,<=3.0.51|>=2.0.0,<=2.0.53 | |
| Packagist | phpseclib/phpseclib | >=0.1.1,<1.0.29 | 1.0.29 |
| Packagist | phpseclib/phpseclib | >=2.0.0,<2.0.54 | 2.0.54 |
| Packagist | phpseclib/phpseclib | >=3.0.0,<3.0.52 | 3.0.52 |
| COMPOSER | phpseclib/phpseclib | >= 0.1.1, <= 1.0.28 | 1.0.29 |
| COMPOSER | phpseclib/phpseclib | >= 3.0.0, <= 3.0.51 | 3.0.52 |
| COMPOSER | phpseclib/phpseclib | >= 2.0.0, <= 2.0.53 | 2.0.54 |
References
- https://github.com/advisories/GHSA-3qpq-r242-jqj7
- https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc
- https://github.com/phpseclib/phpseclib/security/advisories/GHSA-3qpq-r242-jqj7
- https://nvd.nist.gov/vuln/detail/CVE-2026-44167
- https://github.com/phpseclib/phpseclib
- https://security-tracker.debian.org/tracker/CVE-2026-44167
CWEs
CWE-400
Verify integrity in audit chain (admin only). AS-IS.