CVE-2014-7940
Description
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An uninitialized memory bug in ICU 52's collator allows remote DoS or worse via crafted text sequences.
Vulnerability
A memory initialization flaw exists in the collator implementation within i18n/ucol.cpp of International Components for Unicode (ICU) version 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91. The bug is triggered when processing a crafted character sequence, leading to the use of uninitialized memory for a data structure [1][2][4].
Exploitation
An attacker can exploit this vulnerability remotely by supplying a specially crafted character sequence to an application that uses the affected ICU collator, such as Google Chrome. No authentication is required; the attack is network-based, relying on user interaction to process the malicious input [1][2].
Impact
Successful exploitation can cause a denial of service (memory corruption) through application crash or potentially lead to other unspecified impacts. The vulnerability does not immediately grant code execution, but memory corruption may be leveraged for further compromise [1][2].
Mitigation
The issue is fixed in ICU updates incorporated into Google Chrome 40.0.2214.91 [1][2]. Red Hat and Mageia have released updated ICU packages (e.g., icu-52.1-2.1.mga4 for Mageia 4) that address this and related vulnerabilities [1][2]. Users should apply the latest patches from their software vendors.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c\/c\+\+:*:*Range: <=52.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- advisories.mageia.org/MGASA-2015-0047.htmlnvd
- googlechromereleases.blogspot.com/2015/01/stable-update.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-0093.htmlnvd
- secunia.com/advisories/62383nvd
- secunia.com/advisories/62575nvd
- secunia.com/advisories/62665nvd
- security.gentoo.org/glsa/glsa-201502-13.xmlnvd
- www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlnvd
- www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlnvd
- www.securityfocus.com/bid/72288nvd
- www.securitytracker.com/id/1031623nvd
- www.ubuntu.com/usn/USN-2476-1nvd
- chromium.googlesource.com/chromium/deps/icu/+/866ff696e9022a6000afbab516fba62cfa306075nvd
- chromium.googlesource.com/chromium/src.git/+/87feb77547781a22b31c423bc0d57b7dca32d5b8nvd
- code.google.com/p/chromium/issues/detailnvd
- security.gentoo.org/glsa/201503-06nvd
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvd
News mentions
0No linked articles in our index yet.