CVE-2009-5155

Vulnerability

The GNU C Library (glibc) before version 2.28 contains a flaw in the parse_reg_exp function within posix/regcomp.c. This function misparses certain regular expression alternatives, specifically when back references and alternations are combined in patterns like (.*)(.*)(.*)\3\2\1 or (|()()0)\2. The bug causes an assertion failure (pop_fail_stack: Assertion num >= 0' failed`) when the malformed parsing leads to an invalid internal state during regex matching [1][2][3]. Affected versions include all glibc releases prior to 2.28.

Exploitation

An attacker can trigger the vulnerability by providing a crafted regular expression to an application that uses glibc's regex engine (e.g., GNU grep with the -E flag). The attacker does not need any special privileges; they only require the ability to supply arbitrary regex input to a program that compiles and executes extended regular expressions. For example, running echo abc | LANG=C grep -E '(.*)(.*)(.*)\3\2\1' causes grep to crash with an assertion failure [1]. Multiple variations of such patterns have been reported, all exploiting the same underlying misparsing [2][3].

Impact

Successful exploitation leads to a denial of service (DoS). The assertion failure aborts the process, causing the application to exit unexpectedly. No further compromise of confidentiality or integrity is achieved, but the crash can disrupt services or other applications relying on the glibc regex engine. The victim program terminates abnormally, potentially affecting availability.

Mitigation

The vulnerability is fixed in glibc version 2.28, which corrects the regex parser logic. Users should upgrade to glibc 2.28 or later. For affected systems, a workaround is to avoid processing untrusted regular expressions, especially those using complex combinations of alternations and back references. No official workaround is available, and the bug is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.