CVE-2026-46629
twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments
Description
### Description `IntlExtension` memoises every `\IntlDateFormatter` and `\NumberFormatter` it creates in instance-level arrays keyed on a hash that includes `locale`, `pattern`, `attrs` and other values that are ordinary named arguments of the `format_datetime` / `format_date` / `format_time` / `format_number` / `format_currency` filters. There is no size limit and no eviction. A template that iterates over many distinct `pattern` (or `locale`, or `grouping_used`, ...) values therefore allocates one ICU formatter object per distinct value and pins it for the entire lifetime of the `Twig\Environment`. Because ICU allocates its backing buffers outside the Zend memory manager, this growth is not bounded by `memory_limit`. On long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode, ReactPHP) where the `Environment` outlives a single request, the cache also accumulates across requests. ### Resolution The formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis. ### Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Affected packages (2)
- Debian/php-twigfrom 0
- Packagist/twig/intl-extrafrom 0, < 3.26.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
References (5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-46629
- PATCHhttps://github.com/twigphp/Twig
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/twig/intl-extra/CVE-2026-46629.yaml
- WEBhttps://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp
- WEBhttps://symfony.com/cve-2026-46629