Critical severity9.8NVD Advisory· Published Apr 24, 2017· Updated May 13, 2026

CVE-2014-9654

Description

The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.

Affected products

Google/Chrome
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Range: <=40.0.2214.85
Icu Project/International Components For Unicode
cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c\/c\+\+:*:*
Range: <55.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.icu-project.org/trac/ticket/11371nvdIssue TrackingVendor Advisory
openwall.com/lists/oss-security/2015/02/05/15nvdMailing ListThird Party Advisory
www.securitytracker.com/id/1035410nvdThird Party AdvisoryVDB Entry
chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5nvdIssue TrackingThird Party Advisory
code.google.com/p/chromium/issues/detailnvdIssue TrackingThird Party Advisory
security.gentoo.org/glsa/201503-06nvdThird Party Advisory
bugs.icu-project.org/trac/changeset/36801nvdIssue Tracking
www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlnvd
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000