GHSA-35WC-CVQG-78FP
Vulnerability from github – Published: 2026-05-21 21:23 – Updated: 2026-05-21 21:23Description
IntlExtension memoises every \IntlDateFormatter and \NumberFormatter it creates in instance-level arrays keyed on a hash that includes locale, pattern, attrs and other values that are ordinary named arguments of the format_datetime / format_date / format_time / format_number / format_currency filters. There is no size limit and no eviction.
A template that iterates over many distinct pattern (or locale, or grouping_used, ...) values therefore allocates one ICU formatter object per distinct value and pins it for the entire lifetime of the Twig\Environment. Because ICU allocates its backing buffers outside the Zend memory manager, this growth is not bounded by memory_limit. On long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode, ReactPHP) where the Environment outlives a single request, the cache also accumulates across requests.
Resolution
The formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis.
Credits
Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "twig/intl-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46629"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T21:23:53Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`IntlExtension` memoises every `\\IntlDateFormatter` and `\\NumberFormatter` it creates in instance-level arrays keyed on a hash that includes `locale`, `pattern`, `attrs` and other values that are ordinary named arguments of the `format_datetime` / `format_date` / `format_time` / `format_number` / `format_currency` filters. There is no size limit and no eviction.\n\nA template that iterates over many distinct `pattern` (or `locale`, or `grouping_used`, ...) values therefore allocates one ICU formatter object per distinct value and pins it for the entire lifetime of the `Twig\\Environment`. Because ICU allocates its backing buffers outside the Zend memory manager, this growth is not bounded by `memory_limit`. On long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode, ReactPHP) where the `Environment` outlives a single request, the cache also accumulates across requests.\n\n### Resolution\n\nThe formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis.\n\n### Credits\n\nTwig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
"id": "GHSA-35wc-cvqg-78fp",
"modified": "2026-05-21T21:23:53Z",
"published": "2026-05-21T21:23:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/intl-extra/CVE-2026-46629.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twigphp/Twig"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-46629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.