CVE-2026-46629

Description

### Description `IntlExtension` memoises every `\IntlDateFormatter` and `\NumberFormatter` it creates in instance-level arrays keyed on a hash that includes `locale`, `pattern`, `attrs` and other values that are ordinary named arguments of the `format_datetime` / `format_date` / `format_time` / `format_number` / `format_currency` filters. There is no size limit and no eviction. A template that iterates over many distinct `pattern` (or `locale`, or `grouping_used`, ...) values therefore allocates one ICU formatter object per distinct value and pins it for the entire lifetime of the `Twig\Environment`. Because ICU allocates its backing buffers outside the Zend memory manager, this growth is not bounded by `memory_limit`. On long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode, ReactPHP) where the `Environment` outlives a single request, the cache also accumulates across requests. ### Resolution The formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis. ### Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

How to fix CVE-2026-46629

To remediate CVE-2026-46629, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 3.26.0 or later

Is CVE-2026-46629 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46629.

Affected packages (2)

• from 0
• from 0, < 3.26.0

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-46629
• PATCHgithub.com/twigphp/Twig
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/twig/intl-extra/CVE-2026-46629.yaml
• WEBgithub.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp