CVE-2015-3796

Vulnerability

The vulnerability resides in the TRE regular expression library used by Libc in Apple iOS before 8.4.1 and OS X before 10.10.5. When the REG_ENHANCED flag is passed to regcomp, the parser for wide-character hex literals (e.g., \x{...}) copies hex digits into a fixed 32-byte stack buffer tmp without bounds checking [3]. This stack buffer overflow can be triggered by supplying a crafted regular expression containing a long hex sequence inside \x{...}. Affected versions: iOS < 8.4.1, OS X < 10.10.5 [1][2].

Exploitation

An attacker needs to supply a malicious regular expression to an application that uses the TRE library with REG_ENHANCED enabled. The exploit requires no authentication if the application processes user-supplied regex patterns (e.g., grep with the -E flag or other tools). The proof-of-concept uses a regex like \x{AAAA...} with many hex digits to overflow the stack buffer, overwriting adjacent memory [3]. The attacker must control the regex content; no special network position is required if the application is local or remotely accepts regex input.

Impact

Successful exploitation leads to memory corruption, potentially allowing arbitrary code execution with the privileges of the affected process. The vulnerability can also cause a denial of service via application crash. The impact is context-dependent; if the vulnerable application runs with elevated privileges, the attacker may gain those privileges. The CVSS score is not provided, but the exploit is rated Medium severity due to the need for REG_ENHANCED and control over the regex [3].

Mitigation

Apple addressed this vulnerability in iOS 8.4.1 and OS X Yosemite 10.10.5, released on August 13, 2015 [1][2]. Users should update to these versions or later. No workaround is available for unpatched systems. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.