VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 25, 2019· Updated Aug 5, 2024

CVE-2019-19246

CVE-2019-19246

Description

Heap buffer over-read in Oniguruma <=6.9.3's str_lower_case_match can be triggered via crafted regex, leading to DoS or info leak.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer over-read in Oniguruma <=6.9.3's str_lower_case_match can be triggered via crafted regex, leading to DoS or info leak.

Vulnerability

A heap-based buffer over-read exists in Oniguruma through version 6.9.3, specifically in the str_lower_case_match function within regexec.c. This issue is triggered when processing a crafted regular expression that causes the function to read beyond the bounds of a heap-allocated buffer. The vulnerability is reachable when Oniguruma is used in applications such as PHP 7.3.x via the mb_eregi or similar multibyte regular expression functions [1][2].

Exploitation

An attacker can exploit the vulnerability by supplying a specially crafted regular expression to an application that uses the Oniguruma library (e.g., PHP's mb_eregi). The attack requires no authentication; it can be performed remotely by sending a malicious regex to a service that processes user-supplied patterns. The heap-based buffer over-read occurs during the case-folding matching process, as demonstrated in the PHP bug report [2] and the fix commit [3].

Impact

Successful exploitation can cause a denial of service (application crash) due to invalid memory access, and may lead to disclosure of sensitive information from heap memory. The impact is categorized as low to moderate severity, with a CVSS score of 5.9 (according to NIST) [1].

Mitigation

The vulnerability is fixed in Oniguruma version 6.9.4, which includes the commit d3e4029 that adds a bounds check in str_lower_case_match [3]. Users should update their Oniguruma library and any bundled dependencies (e.g., PHP). Ubuntu addressed this via USN-4460-1, releasing updates for libonig in various supported releases [1]. No workaround is available; applying the update is the recommended mitigation.

References
  1. USN-4460-1: Oniguruma vulnerabilities | Ubuntu security notices | Ubuntu
  2. Heap buffer overflow in mb_eregi
  3. fix heap-buffer-overflow · kkos/oniguruma@d3e4029

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

62

Patches

2
7d61aa2b2132

Prepare 7.3.10

https://github.com/php/php-srcChristoph M. BeckerSep 24, 2019via osv
commit
4 files changed · +5 5
  • configure.ac+1 1 modified
    @@ -108,7 +108,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 PHP_MAJOR_VERSION=7
 PHP_MINOR_VERSION=3
 PHP_RELEASE_VERSION=10
-PHP_EXTRA_VERSION="RC1"
+PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
  • main/php_version.h+2 2 modified
    @@ -3,6 +3,6 @@
 #define PHP_MAJOR_VERSION 7
 #define PHP_MINOR_VERSION 3
 #define PHP_RELEASE_VERSION 10
-#define PHP_EXTRA_VERSION "RC1"
-#define PHP_VERSION "7.3.10RC1"
+#define PHP_EXTRA_VERSION ""
+#define PHP_VERSION "7.3.10"
 #define PHP_VERSION_ID 70310
  • NEWS+1 1 modified
    @@ -1,6 +1,6 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-12 Sep 2019, PHP 7.3.10RC1
+26 Sep 2019, PHP 7.3.10
 
 - Core:
   . Fixed bug #78220 (Can't access OneDrive folder). (cmb, ab)
  • Zend/zend.h+1 1 modified
    @@ -20,7 +20,7 @@
 #ifndef ZEND_H
 #define ZEND_H
 
-#define ZEND_VERSION "3.3.10RC1"
+#define ZEND_VERSION "3.3.10"
 
 #define ZEND_ENGINE_3
d3e402928b6e

fix heap-buffer-overflow

https://github.com/kkos/onigurumaK.KosakoAug 13, 2019via osv
commit
1 file changed · +1 0
  • src/regexec.c+1 0 modified
    @@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
     q = lowbuf;
     while (lowlen > 0) {
+      if (t >= tend)    return 0;
       if (*t++ != *q++) return 0;
       lowlen--;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.