new file mode 100644
@@ -0,0 +1,84 @@
+From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Tue, 25 Nov 2025 23:11:38 +0100
+Subject: [PATCH] Fix GH-20584: Information Leak of Memory
+
+The string added had uninitialized memory due to
+php_read_stream_all_chunks() not moving the buffer position, resulting
+in the same data always being overwritten instead of new data being
+added to the end of the buffer.
+
+This is backport as there is a security impact as described in
+GHSA-3237-qqm7-mfv7 .
+
+CVE: CVE-2025-14177
+Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0]
+
+(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ ext/standard/image.c | 1 +
+ ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+ create mode 100644 ext/standard/tests/image/gh20584.phpt
+
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index 2bd5429efac..15761364c34 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
+ if (read_now < stream->chunk_size && read_total != length) {
+ return 0;
+ }
++ buffer += read_now;
+ } while (read_total < length);
+
+ return read_total;
+diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
+new file mode 100644
+index 00000000000..d117f218202
+--- /dev/null
++++ b/ext/standard/tests/image/gh20584.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++GH-20584 (Information Leak of Memory)
++--CREDITS--
++Nikita Sveshnikov (Positive Technologies)
++--FILE--
++<?php
++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
++$file = __DIR__ . '/gh20584.jpg';
++
++// Make APP1 large enough so it is read in multiple chunks
++$chunk = 8192;
++$tail = 123;
++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
++$tail);
++$app1Len = 2 + strlen($payload);
++
++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
++"\x01\x11\x00";
++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
++"\xFF\xD9";
++file_put_contents($file, $jpeg);
++
++// Read through a filter to enforce multiple reads
++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
++$info = null;
++@getimagesize($src, $info);
++$exp = $payload;
++$ret = $info['APP1'];
++
++var_dump($ret === $exp);
++
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__ . '/gh20584.jpg');
++?>
++--EXPECT--
++bool(true)
+--
+2.43.5
+
@@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
file://0010-iconv-fix-detection.patch \
file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
+ file://CVE-2025-14177.patch \
"
SRC_URI:append:class-target = " \