VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 10, 2019· Updated Aug 4, 2024

CVE-2019-13224

CVE-2019-13224

Description

A use-after-free in Oniguruma 6.9.2's onig_new_deluxe() allows attackers to cause information disclosure, denial of service, or code execution via a crafted regex with mismatched encodings.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Oniguruma 6.9.2's onig_new_deluxe() allows attackers to cause information disclosure, denial of service, or code execution via a crafted regex with mismatched encodings.

Vulnerability

A use-after-free vulnerability exists in onig_new_deluxe() in regext.c of Oniguruma version 6.9.2. The flaw is triggered when the function is called with a regular expression pattern and a target string that have different multi-byte encodings. The code path attempts to convert the pattern encoding using conv_encoding(), but due to improper handling, memory can be freed and later accessed, leading to a use-after-free condition. This vulnerability affects Oniguruma 6.9.2 and possibly earlier versions, and impacts applications that use the library, such as Ruby, PHP, and Rust.

Exploitation

An attacker can exploit this by supplying a crafted regular expression pattern and an accompanying string with different multi-byte encodings to an application that uses Oniguruma. No authentication is required; the attacker only needs the ability to provide the regex and string (e.g., via a web form or file upload). When the application calls onig_new_deluxe() with these mismatched encodings, the use-after-free is triggered. The exact sequence of steps beyond this is not detailed in the available references.

Impact

Successful exploitation could result in information disclosure, denial of service, or arbitrary code execution, depending on how the attacker manipulates the freed memory. The impact is at the privilege level of the process using Oniguruma, potentially affecting confidentiality, integrity, and availability.

Mitigation

The fix was provided in commit 0f7f61e [1], which disallows different encodings for pattern and target in onig_new_deluxe(). This fix was included in Oniguruma version 6.9.3. Users should upgrade to version 6.9.3 or later. Gentoo has published a GLSA [4] recommending upgrade to >=dev-libs/oniguruma-6.9.3. For applications like Ruby, PHP, and Rust, updating the bundled Oniguruma library is necessary. No workaround is known.

References
  1. Fix CVE-2019-13224: don't allow different encodings for onig_new_delu… · kkos/oniguruma@0f7f61e
  2. Multiple vulnerabilities (GLSA 201911-03) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

64

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A use-after-free vulnerability in onig_new_deluxe() occurs due to improper handling of mismatched encodings in regular expressions."

Attack vector

An attacker can trigger this vulnerability by providing a crafted regular expression that utilizes mismatched pattern and target encodings [ref_id=1]. When processed by onig_new_deluxe(), this configuration leads to memory corruption. This can potentially result in information disclosure, denial of service, or arbitrary code execution [ref_id=1].

Affected code

The vulnerability is located in the onig_new_deluxe() function within the regext.c file. The patch also removes the conv_encoding() function logic that was previously used to handle encoding conversions [ref_id=1].

What the fix does

The patch modifies onig_new_deluxe() in regext.c to explicitly reject attempts to use different encodings for the pattern and the target [ref_id=1]. Previously, the code attempted to convert between encodings, which introduced the vulnerability. By returning ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION when ci->pattern_enc does not match ci->target_enc, the library prevents the unsafe memory operations [ref_id=1].

Preconditions

  • inputThe attacker must provide a crafted regular expression with mismatched pattern and target encodings.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.