Buffer overflow in Pcre Perl_compatible_regular_expression_library

CVE-2015-8381

The compile_regex function in pcre_compile.c in PCRE before 8.38 and pcre2_compile.c in PCRE2 before 10.2x mishandles the /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ and /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((…

Vulnerability class: Buffer Overflow

EPSS: 0.058 (90.7th percentile) — read the EPSS interpretation.

Affected products

Pcre Perl_compatible_regular_expression_library
N/a — versions n/a

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

References

[oss-security] 20151128 Re: Heap Overflow in PCRE (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
RHSA-2016:1132 (x_refsource_REDHAT, vendor-advisory)
RHSA-2016:2750 (x_refsource_REDHAT, vendor-advisory)
76187 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
cve@mitre.org (x_refsource_CONFIRM, Exploit)
cve@mitre.org (x_refsource_CONFIRM, Exploit)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
cve@mitre.org (x_refsource_CONFIRM, Exploit, Release Notes)
GLSA-201607-02 (vendor-advisory, x_refsource_GENTOO)