CVE-2022-1586

high-risk
Published 2022-05-16

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

Do I need to act?

-
0.58% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (15)

Pcre2

Affected Vendors

Debian Redhat Pcre Fedoraproject Netapp

References (20)

Broken Link https://bugzilla.redhat.com/show_bug.cgi?id=2077976%2C
Broken Link https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5...
Patch https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cf...
Mailing List https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://security.netapp.com/advisory/ntap-20221028-0009/
Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=2077976
Broken Link https://bugzilla.redhat.com/show_bug.cgi?id=2077976%2C
Patch https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5...
Broken Link https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5...
Patch https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cf...
Mailing List https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://security.netapp.com/advisory/ntap-20221028-0009/
51
/ 100
high-risk
Severity 31/34 · Critical
Exploitability 2/34 · Minimal
Exposure 18/34 · Moderate