Description
An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
References (7)
Core 7
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202006-16
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQRAHYHLRNMBTPR3KXVM27NSZP3KTOPI/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html
Issue Tracking, Permissions Required, Third Party Advisory
https://bugs.exim.org/show_bug.cgi?id=2421
Exploit, Issue Tracking, Third Party Advisory
https://bugs.php.net/bug.php?id=78338
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1735494
Broken Link, Patch
https://vcs.pcre.org/pcre2?view=revision&revision=1092
Scores
CVSS v3
7.5
EPSS
0.0009
EPSS Percentile
25.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (4)
fedoraproject/fedora
31
pcre/pcre2
10.31 - 10.34
splunk/universal_forwarder
9.1.0
splunk/universal_forwarder
8.2.0 - 8.2.12
Published
Feb 14, 2020
Tracked Since
Feb 18, 2026