CVE-2014-9654

CRITICAL

ICU <2014-12-03 - Memory Corruption

Title source: llm
STIX 2.1

Description

The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.

References (9)

Core 9
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
http://bugs.icu-project.org/trac/ticket/11371
Issue Tracking, Third Party Advisory x_refsource_confirm
https://code.google.com/p/chromium/issues/detail?id=432209
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035410
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201503-06
Issue Tracking x_refsource_confirm
http://bugs.icu-project.org/trac/changeset/36801
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2015/02/05/15

Scores

CVSS v3 9.8
EPSS 0.0242
EPSS Percentile 82.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (2)
google/chrome < 40.0.2214.85
icu-project/international_components_for_unicode < 55.1
Published Apr 24, 2017
Tracked Since Feb 18, 2026