CVE-2022-1586 — Out-of-bounds Read in Pcre2
CWE-125 — Out-of-bounds ReadCWE-345 — Insufficient Verification of Data Authenticity13 documents11 sources
Severity
9.1CRITICALNVD
EPSS
0.6%
top 30.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 16
Latest updateJan 10
Description
An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2
Affected Packages3 packages
Also affects: Debian Linux 10.0, Fedora 35, 36, Enterprise Linux 8.0, 9.0
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-f3pv-9fwh-mp3x: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile↗2022-05-17
CVEList▶
CVE-2022-1586: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile↗2022-05-16
OSV▶
CVE-2022-1586: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile↗2022-05-16
📋Vendor Advisories
7Microsoft▶
An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue i↗2022-05-10