CVE-2015-5073
moderate-risk
Published 2016-12-13
Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.
Do I need to act?
-
0.55% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10
Critical
NETWORK
/ LOW complexity
References (26)
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
Third Party Advisory
http://www.securityfocus.com/bid/75430
Third Party Advisory
http://www.securitytracker.com/id/1033154
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
and 6 more references
42
/ 100
moderate-risk
Severity
31/34 · Critical
Exploitability
2/34 · Minimal
Exposure
9/34 · Low