VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 14, 2020· Updated Aug 5, 2024

CVE-2019-20454

CVE-2019-20454

Description

Out-of-bounds read in PCRE2's JIT compiler when using \X in non-UTF mode, causing denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in PCRE2's JIT compiler when using \X in non-UTF mode, causing denial of service.

Vulnerability

The vulnerability is an out-of-bounds read in PCRE2 before version 10.34. It occurs in the function do_extuni_no_utf in pcre2_jit_compile.c when the pattern \X is JIT-compiled and matched against crafted subjects in non-UTF mode [1][2]. Applications using PCRE2 to parse untrusted input, such as PHP 7.3 on RHEL 8 by default (unless pcre.jit=0 is set), are affected [1]. The flaw exists in the JIT compilation path.

Exploitation

An attacker needs to provide a pattern containing \X that is JIT-compiled (with PCRE2_JIT_COMPLETE option) and then supply a specially crafted subject string to trigger the out-of-bounds read during matching [1][2]. No authentication is required if the application accepts user-supplied regex patterns or subjects. In PHP, an attacker can craft a malicious input file that causes a segmentation fault when processed by preg_match [2].

Impact

Successful exploitation causes an out-of-bounds read, leading to a crash (denial of service) [1][3]. The flaw does not allow arbitrary code execution according to available references; it is a read-only OOB that results in segmentation fault.

Mitigation

PCRE2 fixed this issue in version 10.34 [3]. Users should upgrade to PCRE2 >= 10.34. For PHP on RHEL 8, the default configuration sets pcre.jit=0 in /etc/php.ini, which prevents exploitation; users are advised not to enable JIT unless upgraded [1]. Gentoo recommends emerging >=net-libs/pcre2-10.34 [3]. No workaround other than disabling JIT or upgrading is known.

References
  1. Out of bounds read in JIT mode when \X is used in non-UTF mode
  2. Array cross-border reading/global variable coverage in PCRE
  3. Denial of service (GLSA 202006-16) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

68

Patches

1
031c07cc6169

Release 10.34

https://github.com/pcre2project/pcre2Philip.HazelNov 21, 2019via osv
commit

Vulnerability mechanics

Root cause

"An out-of-bounds read occurs in PCRE when the JIT compiler processes the \X pattern in non-UTF mode with specially crafted input."

Attack vector

An attacker can trigger this vulnerability by providing a specially crafted subject string to an application that uses PCRE to parse untrusted input. The vulnerability is triggered when the \X pattern is JIT compiled and used to match this crafted subject in a non-UTF mode. This can lead to an out-of-bounds read, ultimately causing the application to crash [ref_id=1].

Affected code

The vulnerability resides in the `do_extuni_no_utf` function within the `pcre2_jit_compile.c` file. This function is responsible for handling extended Unicode properties in JIT compilation. The specific issue arises from how characters are read and processed when the \X pattern is used in non-UTF mode.

What the fix does

The patch modifies the `do_extuni_no_utf` function in `pcre2_jit_compile.c`. Previously, `GETCHARINC(c, cc)` was used, which could lead to an out-of-bounds read. The fix replaces this with `c = *cc++`, which correctly increments the character pointer, preventing the out-of-bounds read and resolving the vulnerability [patch_id=144901].

Preconditions

  • inputThe application must be configured to use PCRE and process untrusted input.
  • inputThe input subject string must be specially crafted to trigger the out-of-bounds read when matched with the \X pattern in non-UTF mode.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.