CVE-2014-7926
Description
The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in ICU's regular expression engine, triggered by a zero-length quantifier, allows denial of service or possible code execution via crafted web content.
Vulnerability
The vulnerability resides in the Regular Expressions package of International Components for Unicode (ICU) version 52 before SVN revision 292944. It is triggered by a zero-length quantifier in a regular expression, leading to memory corruption. This affects Google Chrome before 40.0.2214.91, as well as other products using ICU, such as Red Hat Enterprise Linux and Ubuntu. [1][2][3]
Exploitation
An attacker can exploit this by crafting a web page containing a specially crafted regular expression with a zero-length quantifier. If a user visits the page, the browser's renderer process (which uses ICU for regular expression handling) will process the malformed regex, causing memory corruption. No authentication is required; the attacker only needs to trick the user into opening the malicious page. [2]
Impact
Successful exploitation can cause a denial of service via renderer crash. Additionally, the memory corruption may be leveraged to execute arbitrary code with the privileges of the sandboxed render process. [2] The scope is limited to the renderer sandbox, but could potentially lead to further compromise if combined with a sandbox escape.
Mitigation
Google Chrome was fixed in version 40.0.2214.91. [3] Red Hat issued RHSA-2015-0093 for affected products. [1] Ubuntu released USN-2476-1. [2] Users should update to the latest versions. No workaround is available; applying the patch is the only mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c\/c\+\+:*:*Range: <55.1
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 1 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
cpe:2.3:o:oracle:communications_messaging_server:7.0.5:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:oracle:communications_messaging_server:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:communications_messaging_server:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop_supplementary:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_supplementary:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.6.z:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation_supplementary:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- advisories.mageia.org/MGASA-2015-0047.htmlnvd
- bugs.icu-project.org/trac/ticket/11369nvd
- googlechromereleases.blogspot.com/2015/01/stable-update.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-0093.htmlnvd
- secunia.com/advisories/62383nvd
- secunia.com/advisories/62575nvd
- secunia.com/advisories/62665nvd
- security.gentoo.org/glsa/glsa-201502-13.xmlnvd
- www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlnvd
- www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlnvd
- www.securityfocus.com/bid/72288nvd
- www.securitytracker.com/id/1031623nvd
- www.ubuntu.com/usn/USN-2476-1nvd
- chromium.googlesource.com/chromium/deps/icu52/+/3af4ce5982311035e5f36803d547c0befa576c8cnvd
- chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fbnvd
- code.google.com/p/chromium/issues/detailnvd
- codereview.chromium.org/726973003nvd
- security.gentoo.org/glsa/201503-06nvd
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvd
News mentions
0No linked articles in our index yet.