Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-8146Improper Restriction of Operations within the Bounds of a Memory Buffer in International Components FOR Unicode

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds Write16 documents10 sources
Severity
7.5HIGHNVD
EPSS
25.8%
top 3.73%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
Icu-project International Components FOR UnicodeApple Iphone OSApple Itunes+2 more
Timeline
PublishedMay 25
Latest updateMay 14

Description

The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

NVDapple/itunes12.1.3
NVDapple/watchos1.0.1
NVDapple/mac_os_x10.10.4

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
GHSA-5v3f-x3cw-9pfr: The resolveImplicitLevels function in common/ubidi2022-05-14
CVEList
CVE-2014-8146: The resolveImplicitLevels function in common/ubidi2015-05-25
OSV
CVE-2014-8146: The resolveImplicitLevels function in common/ubidi2015-05-25

💥Exploits & PoCs

1
Exploit-DB
ICU library 52 < 54 - Multiple Vulnerabilities2015-06-10

📋Vendor Advisories

7
Ubuntu
ICU vulnerabilities2015-05-11
Red Hat
icu: heap overflow via incorrect isolateCount2015-05-05
Debian
CVE-2014-8146: icu - The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectiona...2014
Apple
CVE-2014-8146: OS X El Capitan v10.11
Apple
CVE-2014-8146: iOS 9

💬Community

4
Bugzilla
ICU: heap overflow via incorrect isolateCount2015-05-18
Bugzilla
ICU: integer overflow via incorrect state size2015-05-18
Bugzilla
CVE-2014-8147 CVE-2014-8146 icu: various flaws [fedora-all]2015-05-06
Bugzilla
CVE-2014-8146 icu: heap overflow via incorrect isolateCount2014-12-19
CVE-2014-8146 — HIGH severity | cvebase